11  Ru 1 6 s  to  Ease  Employes  Stress!  Keeping  Burnout  at  Bay  page 72 


MAY  1,  2003  •  $9.00 


cio.com 


Advice  from  PM  Masters 
Plus  Tools,  Techniques 

and  Models  Page  56 


WHY  GOOD  CIOs 
MAKE  BAD  DECISIONS 

A  Q&A  with  M  IT's  Dan  Ariely 

Page  82 


THE  RESOURCE  FOR 


“You  can’t  complete 
projects  just  because 
you  started  them, 
says  CKE  Restaurants 
CIO  Jeff  Chasney.  With 
good  PM,  Chasney 
knows  which  to  finish 
and  which  to  kill. 


XECUTIVES 


WHERE  ASPs  CAN 
WORK  FOR  YOU 

(Hint:  Think  CRM) 

Page  88 

CONSIDERING  A 
PUBLIC-SECTOR  JOB? 
CONSIDER  THIS.... 

Page  94 


HORTFOLH 


MANAGEMENT 


v»n  t 

503  .\  crosi 
e  Uni  xl  St; 

tCon 

esa: 

static 

f/otc 

i.  Afl  i  ghts  r  servt 
c  -uf.tru  s.Th’ 

d.Mit 

nara 

,*>  ^  ;  msmi  mr  0  wmmw.m  miHvma  mrrm*" 

•  .’  ''  ,  1  <-  l'Jlf  >'.*  ' 


V/ 

<►  ■* 

>  A 

/"  r 


Introducing  Microsoft  Windows  Server  2003.  Do  more  with  less . 

You’re  being  asked  to  do  more.  You’re  being  asked  to  do  it  with  less.  Microsoft"  Windows"  Server  2003  is 
designed  to  help  you  manage  these  opposing  forces  and  deliver  powerful  software  solutions  with  less  time, 
money,  and  hassle.  For  more  information,  and  to  get  your  free  evaluation  copy  of  Windows  Server  2003 
by  July  31,  2003,  go  to  microsoft.com/windowsserver2003  Software  for  the  Agile  Business. 

The  London  Stock  Exchange,  with  the  help  of  Accenture,  selected  Windows  Server  2003  as  the  foundation  for 
their  real-time,  business-critical,  market  information  delivery  system.  Using  Visual  Studio  .NET  and  the  Microsoft 
.NET  Framework,  this  innovative  new  system  was  developed  in  less  than  eight  months  from  conception  to  production 
and  now  serves  100,000  terminals  worldwide  with  up  to  3,000  transactions  per  second. 


K1 

\  \  ^tjk 

\ 

\ 

\  a 

k  »  m 

t  ■ 

K  1  I 

K  I  I 

m  3 

I  i 

i  1 

mk  \  1 

\  1 

1  V- 

,JL  I 

};/KL 

i  jt-  ^  * 

v 

BEFORE  WE  PROTECT  YOUR  DATA 
WE  CUT  IT  DOWN  TO  SIZE. 


800.934.0956  (toll-free  North  America)  or  visit  www.connected.com.  Over  500  organizations  now  use  Connected 
for  Data  Reduction  &  Protection.  These  include  Boeing,  Cisco  Systems,  Citgo  Petroleum,  EMC,  GAP  Inc., 
Goodrich,  Hewlett-Packard,  Koch  Industries,  PeopleSoft,  Silicon  Graphics,  US  Postal  Service,  and  Verizon. 

©Connected  Corporation.  All  rights  reserved.  Connected,  Connected  DataProtector  and  Connected  EmailOptimizer  are  trademarks  of  Connected  Corporation. 


Announcing,  not  a  moment  too  soon,  an  entirely 
new  way  to  deal  with  a  growing  problem:  the 
vicious  cycle  of  feeding  servers  more  and 
more  data,  requiring  more  and  more  servers. 

The  solution,  if  we  do  say  so 
ourselves,  is  rather  elegant. 

A  patented  technology  that  runs  on  all  your  PCs  to  auto¬ 
matically  capture,  reduce  and  protect  the  data  they  create.  That’s 
worth  repeating:  Captures  it,  shrinks  it,  hacks  it  up. 

We’  re  talking  data,  email  archives,  system  state  and  PC 
asset  info  across  all  the  PCs  in  your  enterprise. 

Its  name,  Connected  DataProtector™  with  Email 
Optimizer™  7.0.  You  may  call  it  godsend  for  short.  More 
than  mere  compression,  it  avoids  duplicating  any  file  and 
saves  only  the  data  that  changes.  Over  time,  this  can  reduce 
storage  requirements  hy  up  to  50%. 

Use  our  servers  instead  of  yours  and  the  do  liar  savings 
become  downright  huge.  No  capital  investment,  virtually  no 
downtime,  and  nice,  predictable,  scalable  costs. 

if  your  data  storage  requirements  are  getting  a  little  out 
of  hand,  call.  And  let  us  take  a  whack  at  them. 

CONNECTED 


Cover  Story 

PORTFOLIO  MANAGEMENT  I  56 

PORTFOLIO 
MANAGEMENT: 
How  to  Do  It  Right 

Portfolio  management  is  a  tool  with  clear  benefits, 
among  them  a  holistic  view  of  IT  projects  across  the 
enterprise  and  the  alignment  of  IT  with  corporate 
strategy.  But  it  isn’t  easy.  We’ve  found  some 
portfolio  managers  willing  to  share  their  secrets. 

By  Todd  Datz 


Jeff  Chasney,  CIO  of  CKE  Restaurants,  reviews  IT  projects  monthly  and 
will  cancel  a  new  project  if  there’s  a  change  in  CKE’s  strategy.  “You  can’t 
complete  projects  just  because  you  started  them,”  he  says. 


COVER  PHOTO  BY  JAY  BLAKESBURG 


Features 


I.T.  STAFFING 
Staff  Alert  I  72 

With  outsourcing  on  the  rise,  CIOs  are  at  the  center  of  a  morale 
crisis.  They  see  many  of  their  workers  battling  stress  on  the  job. 
The  best  leaders  learn  to  help  employees  now — and  keep  them  in 
the  future.  By  Stephanie  Overby 


British  Airways  General  Man¬ 
ager  for  E-Service  Dave  Bevan 
says  integrating  a  hosted  sales- 
force  tool  was  no  more  difficult 
than  integrating  a  licensed 
software  package.  For  more  on 
the  increasing  number  of  com¬ 
panies  rediscovering  ASPs,  see 
"ASPs:  The  Next  Chapter.” 


Q&A  I  DAN  ARIELY 

Why  Good  CIOs  Make  Bad  Decisions  I  82 

Dan  Ariely’s  research  in  behavioral  economics  seeks  to  explain 
why  CIOs  make  poor  investment  decisions  and  why  they  don’t 
know  what  technology  is  worth.  By  Meridith  Levinson 

SALES  AND  MARKETING  AUTOMATION 
ASPs:  The  Next  Chapter  I  88 

Application  service  providers  are  increasingly  viewed  as  a  viable 
option  in  the  CRM  space,  particularly  for  small  and  midsize 
companies.  By  Meridith  Levinson 

CIO  ROLE 

From  Private  to  Public  I  94 

Private-sector  CIOs  are  bringing  new  levels  of  expertise  to  govern¬ 
ment  IT.  And  public  service  teaches  CIOs  skills  that  the  private 
sector  is  finding  ever  more  essential.  By  Tracy  Mayor 

MORE  ►►► 


4 


CIO  MAY  1,  2003  •  www.cio.com 


Your 


■ 


Your  needs. 
Your  choice. 


It's  high  time  someone  in  the  software  industry  started  listening  to  your  needs.  And  standing  up  for  your 
rights.  Like  the  right  to  have  month-to-month  licensing.  And  the  right  to  no  upfront  payments.  That's  why 
we  offer  FlexSelect  LicensingSM  to  all  our  customers.  This  revolutionary  approach  to  licensing  is  based  on 
doing  business  on  your  terms,  not  ours.  So  you  can  have  just  the  software  you  need,  just  when  you  need 
it.  Check  it  out  today.  And  find  out  how  FlexSelect  Licensing  is  raising  more  than  just  eyebrows  in  the 
software  industry.  It's  raising  standards.  ca.com/flexselect 

Computer  Associates® 


Introducing  FlexSelect  Licensing 


SM 


©  2003  Computer  Associates  International,  Inc.  (CA).  All  rights  reserved. 


Introducing  a 
Business  Intelligence 
Breakthrough  of 
Enterprise  Proportions. 


BusinessObjects  Enterprise  6. 

This  is  a  breakthrough.  And  a  big  one.  BusinessObjects  Enterprise  6  is,  very  simply, 
the  new  benchmark  for  enterprise  business  intelligence. 

It's  a  complete  suite  of  integrated  business  intelligence  software  designed  to  meet 
the  needs  of  all  your  users.  It  provides  the  industry's  best  web  query,  reporting, 
l  and  analysis  capabilities.  The  most  complete  and  advanced  suite  of  analytic 

■  applications.  The  best  packaged  application  connectivity.  And  end-to-end 

■  product  integration.  The  bottom  line?  Enterprise  6  enables  your  organization 
m  to  track,  understand,  and  manage  enterprise  performance  better  than  ever 

before.  Better  than  with  any  competing  product.  Or  combination  of  products, 
a  More  than  17,000  companies  around  the  world  rely  on  award-winning 
m  Business  Objects  business  intelligence  software  to  unlock  the  power  of 
f  information  to  improve  enterprise  performance. 

To  view  our  interactive  product  demonstration  or  to  reserve  a  place  at  our 
seminar  series,  visit  www.businessobjects.com/e6.  Or  call  us  at  1-800-527-0580. 
And  experience  the  breakthrough  power  of  BusinessObjects  Enterprise  6,  today. 


Business  Objects 


Columns 

NET  GAINS 
How  to  Keep  Your 
Customers  Satisfied  I  44 

To  learn  if  end  users  are  happy,  you 
have  to  ask  the  right  people — and  the 
right  questions.  By  Mohanbir  Sawhney 

PEER  TO  PEER 
How  to  Pass 
the  Stress  Test  I  50 

An  IT  executive  tells  the  story  of  his 
own  stress-related  breakdown  and 
recovery,  and  reveals  what  you  can 
do  to  avoid  the  abyss. 

By  John  L.  Haughom 

Sections 

TRENDLINES  I  28 

Technology  job-hunters  unite;  European 
security  spending;  A  day  in  the  life  of  a 
smart  card.  And  more 

ON  THE  MOVE  I  33 

CIOs  on  the  go — see  where  your  IT  peers 
are  working  now. 

PROFILE:  The  CIO’s  CFO— Rick  Puckett. 

BY  THE  NUMBERS  I  38 

Manage  IT  as  a  portfolio. 


HOTSEAT  I  102 

Your  Guide 
to  Managing 

Walk  the  Expectation  Tightrope 

CIOs  need  a  light  touch  to  set  business 
managers’  expectations  on  IT  projects — 
and  still  appear  helpful. 

By  Meriditb  Levinson 

Management  Reports  I  105 

How  to  lead  as  a  team  of  CXOs. 

Leadership  Agenda  I  106 

Full-circle  or  360-degree  feedback 
assessments  must  meet  three  conditions 
to  be  useful.  By  Susan  H.  Gramm 


EMERGING  TECHNOLOGY  I  108 

Categorization  software  helps  search- 
tool  users  find  what  they  seek. 

By  Fred  Hapgood 

UNDER  DEVELOPMENT  I  112 

Bubbling  up  nanostructures. 

COMPANY  TO  WATCH  I  113 

Polycom  eliminates  connection 
boundaries  to  distance  conferencing. 


“CIOs  shouldn’t  forget  that  business 
units  aren’t  captive  customers  whose 
loyalty  can  be  taken  for  granted.  CIOs 
who  can’t  satisfy  users  may  find  their 
jobs  on  the  line.” 

-Mohanbir  Sawhney,  Net  Gains  columnist,  on  user  satisfaction  Page  44 


"Business  managers  have  got  to  know  you  want  the 
project  to  work  just  as  badly  as  they  want  it  to  or 
more  so,"  says  Hon  Industries  CIO  Malcolm  Fields. 


In  Every  Issue 

FROM  THE  EDITOR 
The  Case  for  Portfolio 
Management  I  20 

If  CIOs  would  just  look  at  the  business 
case  for  portfolio  management,  maybe 
more  of  them  would  do  it. 

By  Richard  Pastore 

INBOX  I  22 

Reader  feedback 

INDEX  I  114 

EXECUTIVE  SUMMARY  I  116 

Abstracts  of  all  the  feature  stories  found 
in  this  issue. 


8 


CIO  MAY  1,  2003  •  www.cio.com 


Ianyware*  Once  you  started,  nothing  could  stop  you.  And,  as  usual,  nothing  did.  Yes,  your  can  do  spirit 
led  you  to  an  alternative  to  those  single-function,  network  color  printers:  multifunction  color 
printing  solutions  from  Canon,  the  leader  in  color  imaging  in  the  office.*  Color  imageRUNNER®  is  fully  connected  and  expands  your  capabilities 
across  your  network.  That  means  along  with  superior  image  quality,  you’ll  have  lower  operating  costs.  The  result:  a  faster,  better 
alternative  to  outsourcing,  plus  increased  productivity.  All  of  which  leads  to  bottom  line  savings  and  a  competitive  advantage  for  your  company. 
So,  now  you're  going  places.  Yes,  thanks  to  Canon  know-how,  it’s  smooth  sailing  all  the  way.  1 -800-0K-CAN0N  www.usa.canon.com 

Canon  is  a  registered  trademark  and  Canon  Know  How  is  a  trademark  of  Canon  Inc.  IMAGERUNNER  is  a  registered  trademark  of  Canon  Inc.  in  the  U.S.  and  Canada.  I M AGEANYtV ARE  is  a  service  mark  of  Canon  U.S.A.,  Inc.  ©2003  Canon  U.SA.  Inc.  •Source:  Gartner  Dataquesl  2002. 


Cation  KNOW  HOW  “ 


META 


turn 

O" 

Intelligence”' 

A 

ETA  g  ROUP 


Where  is  it  written  that  the  race  belongs  to  the  large? 
At  META  Group,  we  believe  the  race  belongs  to  the  IT 
advisory  firm  that  delivers  the  highest-value  research 
and  guidance.  Quite  simply,  research  and  guidance  that 
can  be  used  profitably  and  deliver  a  return  on  investment. 
We  are  told  by  clients  that  what  separates  us  is  that  we 
deliver  practical,  incisive  research  that  can  actually  be 
used:  high-value,  in-context  intelligence  backed  by  an 
increasingly  unique  strategy— human-to-human  contact. 
Experience  the  difference.  Call  us  at  800-945-META 
or  visit  metagroup.com. 


WEB  .. 
connections 

Interactive  features  from  May  1  to  May  15 

ADD  A  COMMENT 

Asking  the  Right 
Questions 

Net  Gains  columnist  Mohanbir  Sawhney 
says  if  you  aren’t  careful,  customer 
satisfaction  measurement  may  be  doing 
your  IT  organization  more  harm  than 
good  (see  How  to  Keep  Your  Customers  Satisfied,  Page  44).  You  need 
to  know  who  to  ask— and  what  to  ask  them.  What  do  you  think?  Are  your 
customers  loyal  because  they  have  no  choice?  Ask  Professor  Sawhney 
your  questions  or  give  him  your  two  cents.  Go  directly  to  the  online 
column  from  the  CIO.com  homepage. 

WEIGH  IN 

How  do  you  keep  your  staff  happy? 

Be  a  good  buffer.  Offer  creative  outlets.  That’s  just  some  of  the  advice  for  the  care  and 
feeding  of  your  precious  IT  staff  in  these  tight  times  (see  Staff  Alert,  Page  72).  What  tech¬ 
niques  have  you  used  to  keep  your  star  performers  happy  and  productive? 

Go  to  comment.cio.com/weighin. 

You  can  also  find  the  links  to  these  pieces  in  the 

WEB  CONNECTIONS  box  at  www.cio.com. 


The  Best  Practice  Exchange 

In  Portfolio  Management:  How  to  Do  It  Right  (see 
Page  56),  experts  offer  advice  for  prioritizing  IT 
investments  and  aligning  them  with  corporate 
goals.  What’s  your  take  on  portfolio  management? 
Has  the  payoff  been  worth  the  effort?  How  do  your 
colleagues’  experiences  compare  with  your  own? 

From  May  1  to  15,  the  CIO  Best  Practice 
Exchange,  CIO's  members-only  online  forum  for  IT 
executives,  will  focus  on  IT  portfolio  management. 
To  join  them,  visit  exchange.cio.com.  (For  qualified 
IT  executives  only.  New  members  must  apply.) 


EVA  Award 
Applications 

Since  1993,  CIO  has  honored 
companies  for  exemplary  use  of  IT 
that  has  added  true  value  to  their 
organizations. 
Apply  now  for  a 
prestigious 
2004  CIO 
Enterprise 
Value  Award. 
Applications  are  available  online 
until  May  15  at  www.cio.com/ 
awards/eva. 


Our  Daily  Web 

MONDAY  Tech  Tact  Technology 
Editor  Christopher  Lindquist  covers 
what’s  coming. 

TUESDAY 
Alarmed  Security 
experts  Sarah  D. 

Scaletand  Scott 
Berinato  give  you 
something  new  to 
worry  about. 

WEDNESDAY 
Metrics  Web 

Writer  Jon  Sur- 
macz  makes  sense 
of  the  numbers. 

THURSDAY  Sound 

Off  Web  Editorial 
Director  Art  Jahnke 
opines  on  manage¬ 
rial,  political  and 
ethical  dilemmas. 

FRIDAY  The  Big  Picture  Charts 
and  graphs  that  are  worth  a 
thousand  words. 


What’s  In  Store 

Several  CIO  Focus  guides  are  on 

sale  now  in  the  CIO  Store  that 

relate  to  stories  in  this  issue: 

■  Staff  Alert  (see  Page  72):  How  to 
Retain  IT  Staff  in  Boom  Times 
and  Bad 

■  ASPs:  The  Next  Chapter  (see 
Page  88):  Customer  Relationship 
Management:  Maximizing 
Rewards,  Minimizing  Risks 

■  Portfolio  Management:  Howto 
Do  It  Right  (see  Page  56):  Strate¬ 
gic  Planning:  Howto  Develop  and 
Align  IT  Strategy 

Go  to  www.theciostore.com. 


12  CIO  MAY  1,  2003  • 


www.cio.com 


■ 


•:  •  '• 


s 

i  '*'""11 

5  «*•*»■« 
5  ■■»»>■« 
5  ****■«» 
5  ia«f i>* 

5  laaaiaa 

»  iiaaaia 

#  acaaaaa 


TIBCO  is  the  leading  independent 
integration  software  provider. 


SO  HOW  ARE  YOU 
SUPPOSED  TO  GROW  REVENUE? 

The  answer  is  integration.  TIBCO  Software's 
proven  integration  solutions  will  help  your  company 
cut  costs  while  increasing  the  capability,  agility 
and  efficiency  of  your  business.  By  unifying  and 
optimizing  your  existing  assets — people,  processes 
and  legacy  systems — you  can  do  more  with  what 
you  already  have.  And  do  it  better. 

TIBCO  gives  you  the  benefits  of  real-time 
business,  getting  information  where  and  when 
it's  needed  and  coordinating  activities  end-to-end. 
You'll  automate  processes,  while  giving  people 
the  information  to  make  better  decisions  and  act 
more  quickly.  It's  what  we  call  The  Power  of  Now.™ 
Our  unbiased  approach,  proven  technology  and 
easily-deployed  integration  solutions  will  help  you  grow  your  business 
even  in  today's  difficult  environment. 


Delta  Air  Lines,  NASDAQ  and  Pirelli  are  among  more  than 
2,000  leading  companies  we've  helped  to  cut  costs  and  drive 
revenue.  Learn  how  we  can  help  your  company  do  more  with 
less.  Call  800-420-8450,  or  visit  us  at  www.tibco.com/cib 


YOU’RE  CUTTING  COSTS, 
TRIMMING  STAFF  AND 
MAKING  DO  WITH  LESS. 


R8  TIBCO 

The  Power  of  Now™ 


5-522 


[red  trademarks  or  trademarks  of  Microsoft  cAoration  in  the  United  States  and/or  other  countries. 


Windows  Server  2003 

Datacenter  Edition 


THE  WINDOWS  DATA  CENTER:  TODAY’S  LOW-COST, 
HIGH-PERFORMANCE  ANSWER  TO  COMPLEXITY. 

Decisions  about  your  data  center 
never  have  to  be  made  by  default 
again.  Introducing  the  proven 
alternative  to  UNIX:  The  Windows® 
Data  Center.  Featuring  the  Unisys 
ES7000  and  new  Microsoft®  Windows 
Server  2003,  it’s  a  solution  that  brings 
revolutionary  performance  and  low- 
cost  standardization  to  the  enterprise 
like  never  before. 

With  mainframe-like  integrity, 
the  ES7000  and  Windows  Server 
2003  fully  optimize  today’s  enterprise 
data  center.  It’s  no  wonder  nearly  50% 
of  large  organizations 
are  standardizing  on 
Windows  operating 
systems.1 

And  by  focusing 
solely  on  enabling 
standardized,  end-to- 
end  Windows  data 
centers,  Unisys  helps 
generate  staff 
efficiencies,  increase 
agility  and  mitigate 
risks  -  all  while  achieving  greater 
return  on  technology  investment. 

So  if  you’ve  had  quite  enough  of 
your  inflexible  data  center,  let  us  help 
you  escape.  After  all,  nobody  wants  to 
be  on  the  wrong  side  of  a  revolution. 


WIN  A  FREE  TOSHIBA  TABLET  PC 

Call  1-800-548-3443  or  visit 
We  HaveThe  Way  Out  .com 


UNISYS 

ES7000 


UNISYS 

Microsoft 


From  the  Editor 

pastore@cio.com 


What  do  your  peers  have  to 
say  about  portfolio  manage¬ 
ment?  From  May  1  to  15,  the 
CIO  Best  Practice  Exchange, 
CIO's  members-only  online 
forum  for  IT  executives, 
takes  up  the  case  of  portfolio 
management.  (New 
members  must  apply.) 

Go  to  exchange.cio.com. 


The  Case  for  Portfolio 
Management 


SEVENTY-FIVE  PERCENT  of  companies  do  not 
possess  clear,  ongoing  oversight  of  their  IT  project 
portfolios,  according  to  an  AMR  Research  study. 
In  this  economy,  where  people  continue  to  lose 
their  jobs  and  capital  funding  is  severely  rationed, 
this  lack  of  oversight  seems  criminal.  Most  CIOs 
continue  to  steer  project  funding  ad  hoc,  project  by 
project,  with  little  thought  for  the  entire  invest¬ 
ment  picture.  Perhaps  they  just  don’t  realize  how 
powerful  a  tool  portfolio  management  is  and  what 
a  great  payoff  it  provides  for  such  little  investment. 
Using  the  information  in  “Portfolio  Management: 
How  to  Do  It  Right”  (Page  56),  I’ve  sketched  out 
a  little  business  plan  that  I  hope  will  make  the  case 
for  portfolio  management. 

Benefits  to  the  Organization 

1.  Fairer  decisions  about  funding.  Both  initial  proj¬ 
ect  approval  and  ongoing  management  are  based 
on  a  holistic  view  of  total  investments  prioritized 
by  relative  benefit  to  the  enterprise — not  on  a  proj¬ 
ect  sponsor’s  political  muscle. 

2.  Optimal  mix  of  investment  risk  and  reward. 
Portfolio  management  facilitates  the  balance  of 
riskier,  higher-reward  projects  versus  safer,  lower- 
reward  ones  because  it  categorizes,  prioritizes  and 
monitors  new  and  ongoing  investments. 

3.  Better  communication  between  IS  and  business 
leaders.  Portfolio  management  gives  IT  and  busi¬ 
ness  leaders  a  common  language  and  platform  for 


communication  because  it  is  a  financial  model. 

4.  Greater  understanding  and  cooperation  over 
funding  allocation.  Everybody  sees  where  the  dol¬ 
lars  are  flowing  and  why. 

5.  Greater  business  accountability  for  investments. 
Portfolio  management  can  be  used  to  assign 
responsibility  to  appropriate  leaders. 

6.  Strengthened  alignment  between  IS  and  the  busi¬ 
ness.  Portfolio  management  dictates  that  technol¬ 
ogy  investments  map  to  corporate  strategic 
objectives.  Misaligned  projects  surface  quickly. 

7.  More  efficient  use  of  human  resources.  The  num¬ 
ber  of  IT  staff  and  managers  allocated  to  various 
projects  becomes  more  visible  and  comparable. 

8.  Fewer  redundant  and  overlapping  projects.  The 
portfolio  view  exposes  redundancy. 

Costs  in  Time  and  Resources 

1.  Tie  time  necessary  to  take  inventory  of  all  ongo¬ 
ing  and  proposed  projects,  sort  them  into  cate¬ 
gories  and  populate  the  portfolio. 

2.  Cost  to  develop  or  purchase  a  portfolio  man¬ 
agement  tool. 

Hopefully  this  brief  business  case  will  wake  up  a 
few  people  at  those  75  percent  of  companies  that 
are  missing  out  on  this  very  powerful  tool.  But  I 
have  my  doubts;  another  study  by  Meta  Group 
showed  that  only  16  percent  of  companies  bother 
with  business  cases  for  their  IT  projects. 

It  figures. 


* 


2  0 


CIO 


MAY  1,  2003  • 


www.cio.com 


PHOTO  BY  WEBB  CHAPPELL 


'■  v-.v'T' 

RP 

Jm  . 

sSbTA  •'  - ■■  .  ^0^'  £» 

C;  -  v 

Toughbook  72 


WHO  KNEW  SO  MUCH  BUSINESS  WOULD  HAPPEN  OUT  HERE? 

WE  DID. 

When  business  moved  to  the  outside  world,  Panasonic  was  there  waiting.  For 
15  years,  we  have  focused  exclusively  on  building  rugged  mobile  PCs-like 
our  Toughbook®  line-designed  specifically  for  the  harsh  environments  and 
unpredictable  challenges  facing  mobile  professionals.  We  manufacture  all  the 
critical  components  ourselves  for  maximum  reliability  and  performance.  And 
offer  optional  integrated  wireless  capability  for  real-time  communications, 
instant  LAN  connections  and  “anywhere”  email  access. 

Unmatched  reliability.  Wireless  connectivity.  A  vision  of  work  in  the  outside 
world.  Call  Panasonic  Computer  Solutions  Company  at  1-800-662-3537  or 
visit  us  on  the  Web  at  panasonic.com/toughbook. 


1  $ 

i 

1  pentium 

Panasonic  ideas  f 


Intel,  the  Intel  Inside  Logo  and  Pentium  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  Toughbook  notebook  PCs  are  covered  by  a  3  year  limited  warranty,  parts  and  labor. 
©  2002  Matsushita  Electric  Corporation  of  America.  All  rights  reserved. 


InBox 

Reader  Feedback 


CIGNA  ARTICLE  WAS  OFF-BASE 

Your  March  15  article  [“Cigna’s  Self-Inflicted  Wounds”],  about  Cigna  HealthCare's  transformation 
initiative  to  integrate  its  customer  service  relationship  management  system,  missed  the  mark  on  a 
number  of  levels.  Let  me  address  just  two:  the  initiative's  results  and  its  management. 

While  there  were  significant  challenges  associated  with  the  company’s  migration  of  some  of 
its  customers  from  multiple  legacy  systems  to  a  new  system  in  January  2002,  those  issues  have 
been  addressed.  The  result  is  that  currently  5  million  Cigna  Healthcare  members  are  receiving 
the  benefits  of  this  new  system,  including  quality  customer  service,  faster  claims  management, 
quicker  call  center  resolution,  and  more  robust  online  reporting  and  transaction  tools.  Millions 
more  will  be  receiving  the  benefits  of  this  system  in  the  future. 

Moreover,  the  article  unfairly  maligned  the  role  of  Cigna’s  CIO,  Andrea  Anania.  Andrea  and 
the  entire  systems  community  have  worked  closely  with  Cigna  Healthcare  to  turn  around  the 
challenges  faced  by  the  business  early  last  year.  As  a  result,  our  midyear  2002  and  January 
2003  migrations  have  gone  well,  our  customer  satisfaction  scores  are  up,  and  our  technology 
is  now  clearly  competitive.  Ed  Hanway  •  Chairman  and  CEO  •  Cigna 


\ 


'JC 


<A  „  mHWM 


WHERE’S  THE  LEADERSHIP? 


days,  projects  are  completed  on  time  and 
within  budget,”  is  because  these  days, 
successful  leaders  have  embraced 
integrity,  honesty  and  accountability 
as  cornerstones  of  their  manage¬ 
ment  philosophy. 

I  am  sure  that  the  colleagues 
and  consultants  Anania  fed 
to  the  wolves  to  keep  her  job 
learned  some  hard  lessons  about  integrity, 
honesty  and  accountability. 


I  just  finished  reading  the  article  in 
CIO  outlining  the  failed  Cigna  systems 
rollout.  CIO  Andrea  Anania  portrays 
herself  as  a  victim  of  circumstance,  over¬ 
taxed  and  unable  to  control  the  project. 
What  I  see  is  a  CIO  who  provides  weak 
leadership,  assigns  blame  to  others  and 
hides  behind  excuses. 

When  she  stood  up  and  declared  that 
she  had  successfully  reengineered  her 
company’s  IT,  did  she  forget  that  there  is 
no  “I”  in  team?  It  is  lonely  at  the  top, 
but  it  is  a  lot  lonelier  when  you  take  all 
the  praise  and  none  of  the  criticism.  The 
reason  Anania  can  proclaim,  “These 


Nick  Camino 

ncamino@sbcglobal.net 

BEWARE  OF  REINVENTING 
THE  WHEEL 

Michael  Schrage’s  column  “Worst  Prac¬ 
tice”  [Feb.  15]  makes  a  good  point,  that 
we  must  not  blindly  copy  the  best  prac¬ 
tices  of  others  without  considering  the 
impacts  on  all  of  our  stakeholders.  But 
the  article  presents  us  with  a  dilemma — 
is  he  saying  that  we  should  ignore  all 
external  experience  and  try  to  invent 
everything  ourselves?  Wouldn’t  this  be, 
in  many  cases,  reinventing  the  wheel? 


How  can  we  assume  that  our  situa¬ 
tion  is  so  unique  that  we  can  learn 
nothing  from  anyone  else?  And  how 
can  we  assume  that  our  managers  are 
creative  enough  to  think  up  the  best 
solution? 

I  just  don’t  think  this  is  realistic 
because  if  it  were,  there  would  be  no 
market  for  consultants,  no  research  on 
business,  no  books  written  with  man¬ 
agement  advice — and  perhaps  no  point 
in  teaching  management. 

I  have  known  some  managers  who 
felt  this  way  and  didn’t  read  anything.  I 
wish  they  had. 

Paui  Arveson 

paul@arveson.  com 

OPEN  SOURCE: 

MORE  COVERAGE  NEEDED 

Well,  it’s  about  time!  Thank  you  for 
laying  out  in  the  March  15  issue  [“Your 
Open-Source  Plan”]  what  many  of  us 
have  realized  for  years:  That  open 
source  is  fast  becoming  a  very  viable 
alternative  to  proprietary  operating  sys¬ 
tems.  Having  a  number  of  articles  dis¬ 
cussing  tangible  real-world  benefits 
will  hopefully  serve  to  educate  more 
CIOs,  many  of  whom  have  unfortu¬ 
nately  been  persuaded  more  by  mar¬ 
keting  than  reality. 

Bob  Fately 

Vice  President,  Third  Wave 

WHAT  DO  YOU  THINK? 

Send  your  thoughts  and  feedback 
to  letters@cio.com.  Letters  may  be 
edited  for  length  or  clarity.  For  links 
to  all  articles  mentioned,  go  to 
www. cio.com/printlinks. 


2  2  CIO  MAY  1,  2003  •  www.cio.com 


customers 


SAS®  provides  you  with  a  complete  view  of  your 
customers.  So  you’ll  understand  their  needs,  enhance 
their  lifetime  value  and  achieve  greater  competitive 
advantage.  To  find  out  how  leading  companies  are 
reaping  the  rewards  of  SAS  customer  intelligence 
software,  call  1  866  270  5723  or  visit  our  Web  site. 

www.sas.com/customer 


Power  to  Know* 


narks  of  SAS  Institute  Inc.  in  the  USA  and  other  countries.  ®  indicates  USA  registration. 


You  trust  the  one-inch  rivets  to  hold  the  44,000-ton  steel  skeleton  together. 


You  trust  the  skeleton  to  support  the  three  miles  of  braided  cable. 


You  trust  the  cable  to  keep  you  suspended  above  a  cold,  unforgiving  body  of  water. 


*  . 


l/i,  :  • 


Shouldn't  you  feel  the  same  way  about  the  security  of  your  network  infrastructure? 


VeriSign®  Security  Services  address  a  range  of  today’s  business 
concerns,  from  protecting  your  network  and  applications  to 
securing  online  commerce  and  transactions.  These  are  just  a  few 
ways  we  can  help  you  communicate  and  transact  online,  safely 
and  reliably.  Find  out  howto  address  current  and  future  security 
demands  by  downloading  “Enterprise  Data  Security:  Changing 
Needs,  Evolving  Responses"  at  www.verisign.com/dm/security 


The  Resource  for  Information  Executives 


President  Walter  Manninen 
Publisher  Gary  J.  Beach 

Editorial  Director  Lew  McCreary 

EDITORIAL 

Editor  in  Chief  Abbie  Lundberg 
Deputy  Editor  Richard  Pastore 
Managing  Editor  David  Rosenbaum 
Managing  Editor,  Production  Cheryi  R,  Asselin 

Executive  Editors  Alison  Bass,  Michael  Goldberg, 
Christopher  Koch  (Investigations) 

Leadership  and  Management  Editor  Edward  Prewitt, 
Opinion  and  Knowledge  Management  Editor  Megan 
Santosus,  Research  Editor  Lorraine  Cosgrove  Ware, 
Special  Projects  Editor  Mindy  Blodgett,  Technology 

Editor  Christopher  Lindquist 

Senior  Editors  Scott  Berinato,  Todd  Datz, 

Alice  Dragoon,  Elana  Varan  (B2B  E-Commerce) 

Features  Editor  Lafe  Low 

Senior  Writers  Meridith  Levinson  (B2C  E-Commerce), 
Stephanie  Overby,  Sarah  D,  Scalet  (Security  and  Privacy) 

Staff  Writer  Ben  Worthen 
Copy  Chief  Tom  Wailgum 

Asst.  Managing  Editor,  Production  Kathleen  S.  Carr 

Copy  Editors  Kelli  A.  Gauthier  (Assoc.), 

Emily  S.  Henderson,  Sarah  Johnson  (Assoc.) 

Special  Projects  Manager  Lynne  Z.  Rigolini 
Editorial  Resource  Manager  Carol  Zarrow 
Editorial  Assistants  Daniel  j.  Morgan,  Joe  Sullivan 
Consulting  Editor  Janice  Brand 
Editor  at  Large  Jerry  Gregoire 

Contributors  Susan  H.  Cramm,  John  Edwards, 

Fred  Hapgood,  John  L.  Haughom,  Tracy  Mayor, 
Susannah  Patton,  Mohanbir  Sawhney,  Debby  Young 

Editorial  Operations  Specialist  Julie  Hanson 


How  to  Reach  Us 

E-mail  letiers@cio.com 
Phone  508  872-0080 
Fax  508  879-7784 

Address  CIO  Magazine,  CXO  Media  Inc., 

492  Old  Connecticut  Path,  P.O.  Box  9208, 

Framingham,  MA  01701-9208 

Website  www.cio.com 

Topic  Experts  www.cio.com/online_beats2.html 

Subscriber  Services  866  354-1125,  Fax  847  564-9453, 
E-mail  cio@omeda.com 

Rights  and  Permission  Andrew  Burrell  •  508  935-4785, 
E-mail  aburrell@cxo.com 


DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Directors  Hana  Barker,  Terri  Haas,  Lisa  Munroe 
Associate  Art  Director  Owen  Edwards 
Senior  Designer  George  Lee 
Designers  Kaajai  S.  Asher,  Alberto  Capolino 
Design  Operations  Specialist  Rachel  Barnett 

ONLINE 

Senior  VP/General  Manager,  Online  Tim  Horgan 
Web  Editorial  Director  Art  Jahnke 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 

Director,  CIO  Best  Practice  Exchange  Martha  Heller 
Senior  Editor,  CIO  Best  Practice  Exchange  Sari  Kalin 
Operations  Asst.,  CIO  Best  Practice  Exchange  Lisa  Byron 
Online  Technology  Director  Dagmar  Eiben 
Senior  Web  Developer  Ellen  Morey 
Director  of  Online  Research  Kathleen  Kotwica 
Audience  Development  Manager  Andrew  Burrell 
Web  Developers  Diane  Chen,  Shannon  Macdonald 
Online  Content  Researcher  Tara  Giilet-Liioia 
Designer  Graham  White 

CIRCULATION 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 
Subscription  Svcs.  Supervisor  Tina  Pescara 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 
Senior  Production  Coordinator  Lisa  Stevenson 

EXECUTIVE  PROGRAMS 

EP  Senior  Vice  President  Jennifer  Richards 

Conference  Management  Vice  President  Cynthia  Moilus 

Marketing  Services  Director  Shellie  Rapson  James 

Business  Development  VP  John  Amato 

Program  Operations  Manager  Brian  Fuce 

Marketing  Manager  Giede  Kabongo 

Marketing  Services  Coordinator  Andrea  Slobogan 

Event  Development  Specialist  Sandra  J.  Hughey 

Operations  Coordinator  Michael  Barbato 

Event  Planning  Manager  Amy  Turell 

Senior  Customer  Services  Coordinator  Sarah  Yee 


MARKETING 

Executive  VP/Marketing  Cathy  O’Leary  Hayes 
VP/News  and  Information  Susan  Watson 
Media  Relations  Manager  Karen  Fogerty 
News  and  Information  Associate  Lori  Piscatelli 
Marketing  Research  Director  Bridget  Cammarata 
Marketing  Research  Manager  Carolyn  Johnson 
Sr.  Marketing  Research  Analyst  Dylan  DiGregorio 
Marketing  Comm.  Director  Sue  Yanovitch 
Sr.  MarCom  Development  Specialist  Kari  Curto 
Marketing  Comm.  Associate  Sarah  Crowley 

ADMINISTRATION 

Manager  of  Finance  Margarita  Chiango 

Finance  and  Operations  Analyst  Chris  Bernardi 
Executive  Assistant  to  the  President  Diane  Martin 
Billing  Administrator  Joyce  Gillis 
Facilities  Specialist  John  Kelley 
Office  Services  Coordinator  Mary  E.  Wooldridge 

INFORMATION  SYSTEMS 

VP/CIO  Rick  Broughton 

Infrastructure  Manager  James  C.  Burgoyne 
User  Services  Manager  Ron  Bettencourt 
Senior  User  Services  Specialist  Michael  Fahlsing 
System  Administrator  Robert  Reagan 
Senior  User  Services  Specialist  Jonathan  Frappier 

HUMAN  RESOURCES 

Human  Resources  Vice  President  Patricia  Chisholm 
Human  Resources  Manager  Tanya  Bureau 
Human  Resources  Representative  Beth  S.  Ramistella 

FOUNDER 

Joseph  L.  Levy 


INTERNATIONAL  DATA  GROUP 

CEO  Pat  Kenealy 

Board  Chairman  Patrick  J.  McGovern 

wbpa 

▼  INTERNATIONAL® 

©  CXO  Media  Inc. 


2  6  CIO  MAY  1,  2003 


www.cio.com 


Enterprise  Rent-A-Car  wanted  to  reduce  operational 
costs.  Xerox  found  the  key  to  success  by  moving  1.7  million 
vital  documents  onto  their  intranet  every  month. 
There’s  a  new  way  to  look  at  it. 


Learn  more:  www.xerox.com/learn  For  a  sales  rep:  1-800-ASK-XEROX  ext.  LEARN 

©  2002  XEROX  CORPORATION.  All  rights  reserved.  XEROX?  The  Document  Company®  and  There's  a  new  way  to  look  at  it  are  trademarks  of  XEROX  CORPORATION. 

Enterprise®  is  a  trademark  of  Enterprise  Rent-A-Car  Company. 


the  document  company 

XEROX. 


TECH  LABOR  MARKET 

Technology 
Job-Hunters  Unite! 

LOUIS  FRISSORE  RUNS  DATA  CENTERS.  Alexander  Cedrone,  a  data  warehouse 
manager,  makes  CRM  work.  Susan  Bradley  is  a  human  resources  manager  who  has 
honchoed  PeopleSoft  implementations. 

One  by  one,  they  and  some  30  other  tech-sawy  pros  took  their  brief  turns  on  stage 
recently  to  share  their  experiences  with  200  of  their  peers.  A  few  years  ago,  this 
same  crowd  might  have  gathered  at  a  posh  downtown  hotel  to  hear  presentations 
about  IT  project  lessons  or  innovative  technologies. 

But  not  today.  This  meeting  is  about  job-hunting. 

This  is  The  495  Networking  Support  Group.  It  assembles  weekly  at  Congregation 
B’nai  Shalom,  a  synagogue  in  Westboro,  Mass.,  not  far  from  where  Data  General 
engineers  once  designed  advanced  minicomputers  (inspiring  the  best-selling  1981 
book  The  Soul  of  a  New  Machine). 

A  lot  more  than  the  size  of  computers  has  changed  since  then.  Data  General  is 
gone — now  part  of  storage  giant  EMC.  Route  495,  the  technology-heavy  highway 
ringing  Boston,  is  dotted  with  office  buildings  featuring  For  Lease  signs.  The  only 
thing  trending  up  around  there  is  The  495  Networking  Support  Group’s  size:  It  has 
grown  to  1,700  members  in  two  years. 

The  Labor  Department  reports  that  308,000  jobs  were  lost  in  February  as  the 
unemployment  rate  hovered  at  5.8  percent.  A  study  by  the  trade  group  American 
Electronics  Association  showed  a  combined  loss  of  560,000  high-tech  jobs  in  2001 
and  2002,  mostly  in  manufacturing  and  communications  services. 

The  Boston  area  represents  a  particularly  sour  spot  for  white  collar,  IT-oriented  job¬ 
hunters,  says  Paul  Harrington,  a  labor  economist  at  Northeastern  University.  Mass¬ 
achusetts  has  lost  157,000  jobs,  or  4.7  percent  of  its  workforce,  since  the  recession 
started  in  January  2001.  Losses  have  hit  low-end  manufacturing  and  high-end  pro¬ 
fessional  services.  “What  makes  this  recession  unique  is  that  it’s  more  white  collar 
than  in  the  past,”  Harrington  says. 

In  the  synagogue’s  meeting  hall,  Tony  Bad- 
man,  57,  cofounder  and  president  of  the  net¬ 
working  group,  explains  that  495  is  like  many 
of  the  support  organizations  that  have  sprung 
up  around  the  country  in  this  recession,  but 
with  a  difference:  There’s  an  emphasis  on  action. 

Continued  on  Page  30 


The  495  Networking  Support  Group 
meets  Wednesday  mornings  to  share 
job-hunting  leads  in  the  high-tech 
industry  and  in  IT.  Tony  Badman 
(smiling,  at  right),  president  of  the 
group,  is  a  former  project  manager 
for  EMC  and  Data  General. 


2  8  CIO  MAY  1,  2003 


www.cio.com 


imagine 


A  Java  application  management  solution 
that  allows  your  entire  organization  to  move 
in  the  same  direction  instead  of  fighting  to 
assign  blame. 

The  blame  game  is  over. 


Chances  are  that  your  team  knows  how  to  play  the  blame  game.  Here’s  how 
it  works:  your  new  mission-critical  enterprise  Java  application  sails  through 
the  QA  lab  with  flying  colors,  but  in  production  it  underperforms,  or  even 
crashes.  And  all  too  often,  correcting  the  problem  boils  down  to  guesswork 
and  finger-pointing— the  blame  game. 

Unfortunately,  the  people  in  charge  of  creating,  testing  and  monitoring  enter¬ 
prise  applications  can’t  talk  to  each  other.  It’s  not  because  they  need  more 
sensitivity  training,  group  hugs,  and  gurus.  It’s  because  they  need  a  common 
language  to  communicate  and  a  proven  management  solution  to  help  them 
find  and  fix  the  problem  fast.  They  need  Wily  4. 

Wily  4  gives  the  people  in  your  organization  the  real-time  information  they 
need  to  manage  and  fine-tune  production  applications  for  maximum  perform¬ 
ance,  isolate  bottlenecks  and  find  out  what’s  wrong  when  there’s  a  failure. 

Game  over. 

wily 

technology  J 

ENTERPRISE  JAVA  APPLICATION  MANAGEMENT 
1  888  GET  WILY  /  WWW.WILYTECH.COM 


trendlines 


FEDERAL  REGULATIONS 


Don’t  Call  Us 


THERE’S  NOTHING  MORE  ANNOYING 

than  a  stranger  calling  during  dinner  to 
sell  you  long-distance  service  or  pitch  a 
new  credit  card.  The  Telemarketing  and 
Consumer  Fraud  and  Abuse  Prevention  Act, 
which  Congress  passed  in  1994,  prohibits  telemarketers  from  calling  consumers 
who  have  specifically  requested  to  be  left  alone.  The  Federal  Trade  Commission 
is  taking  that  a  step  further  by  creating  a  national  "Do  Not  Call”  registry,  which  it 
expects  to  have  operational  by  October.  Legislators  recently  allotted  $16  million 
for  the  program.  Consumers  will  be  able  to  add  their  names  to  the  list  for  free. 
Telemarketing  companies  then  have  to  purchase  the  registry,  and  those  compa¬ 
nies  that  violate  it  are  subject  to  fines  of  up  to  $11,000  per  incident. 

More  than  25  states  have  similar  “Do  Not  Call”  registries,  but  those  only 
protect  consumers  from  local  companies  calling  from  within  the  state.  Ed 
Picard,  Northeast  area  director  for  GovConnect,  has  helped  develop  registries 
for  Kansas,  Wisconsin  and  most  recently  Massachusetts.  GovConnect  is 
currently  bidding  for  the  national  registry. 

The  Massachusetts  “Do  Not  Call”  registry  launched  on  Jan.  1, 2003, 
and  already  contains  more  than  934,000  phone  numbers.  Consumers  can 
register  online  and  telemarketers  can  go  online  to  download  the  registry  list. 
The  list  is  updated  quarterly  and  costs  telemarketers  $1,100  per  year,  Picard 
says.  Don’t  get  too  used  to  a  quiet  dinnertime,  though.  In  Massachusetts, 
politicians  and  nonprofit  groups  such  as  universities  and  charities  are  not 
required  to  purchase  the  “Do  Not  Call”  registry.  -Julie  Hanson 


SECURITY  SPENDING 


Technology  Job-Hunters 

Continued  from  Page  28 

So  besides  the  usual  networking  sessions,  495  has  a 
password-protected  website  that  posts  resumes  and  job 
opportunities.  The  group  presented  a  survey  about  mem¬ 
bers’  economic  struggles  to  state  and  federal  officials  to 
lobby  for  more  government  support.  Members  give 
brochures  about  the  group  to  area  employers  through 
their  employed  spouses.  They’re  even  talking  about 
opening  up  an  office  to  offer  the  group’s  programming 
and  IT  expertise  for  contract  hire. 

The  reality,  however,  is  that  no  matter  your  experi¬ 
ence  or  the  effort  you  put  into  looking  for  work,  jobs 
are  hard  to  find.  As  she  hunts,  Bradley,  the  HR  manager, 
teaches  an  organizational  behavior  course  at  the  online 
University  of  Phoenix.  Badman,  who  delivers  the  U.S. 
mail  two  days  a  week,  says  that  many  in  the  group  real¬ 
ize  they  may  have  to  settle  for  jobs  that  are  less  prestigious 
and  remunerative  than  they  had  in  the  boom  years. 

That  certainly  goes  for  Frissore,  54,  a  30-year  IT  vet¬ 
eran  who  worked  as  a  data  center  manager  for  EDS  until 
July  2002.  Now  he’s  a  part-time  photographer,  taking 
team  photos  for  youth  leagues.  The  support  group  helps, 
says  Frissore,  because  “everyone  here  is  in  the  same  boat.” 
Plis  outlook?  “The  chances  of  me  finding  a  decent  job  in 
IT  are  slim.  I’ll  probably  have  to 
settle  for  a  job  in  another 
field  for  a  lot  less  money.” 

-Michael  Goldberg 


Where  Have  All  the  Euros  Gone? 


SECURITY  IS  A  primary  concern  every¬ 
where,  but  in  Europe  that  concern  isn’t 
reflected  in  budgeting  decisions.  Security 
ranked  third  on  the  list  of  anticipated  IT 
budget  increases  for  European  compa¬ 
nies,  according  to  a  recent  report  from 
IDC  (a  sister  company  to  CIO’s  publisher). 
IDC  analyst  Carla  Arend  says  this  imbal¬ 
ance  indicates  that  European  companies 
are  still  struggling  with  (and  spending  on) 
the  immediate  needs  of  makingtheir 
systems  work  and  integrating  data  across 
different  systems.  Once  those  basic  issues 
are  resolved,  spending  on  security  solu¬ 
tions  is  likely  to  rise.  The  survey  projects 
that  companies  in  France,  Germany  and 
Italy  will  raise  their  security  spending  the 
most  in  2003.  -Kathleen  Carr 


Security  Adoption  in  Europe 

Here’s  how  European  companies  are  spending  their 
security  euros.  (Percentages  indicate  the  amount  of  com¬ 
panies  that  have  invested  in  that  particular  technology.) 


Antivirus 

Firewall  software 

Hardware-based 
firewalls 

Encryption 

Monitoring  employee 
Internet/e-mail  use 

Intrusion  detection 

Biometrics  I  6% 

SOURCE:  "BUILDING  SECURE  ENVIRONMENTS-EUROPEAN 
CORPORATE  INFRASTRUCTURE  SURVEY."  2002.  IDC 


99% 


3  0 


CIO  MAY  1,  2003 


www.cio.com 


PHOTO  TOP  BY  DIGITAL  VISION:  BOTTOM  BY  THE  IMAGE  BANK 


IT’S  ONLY  AN  INCH  OF  MOVEMENT, 

BUT  A  NOD  IS  HARD  TO  DO. 

It’s  a  commitment:  to  a  project,  to  a  mission, 
to  the  direction  of  a  company. 

With  our  Associates  on  your  project,  with  their  skills  and  experience, 
You  feel  freer  to  make  those  commitments. 

You  feel  freer  to  move  that  inch. 


Multi-million  dollar  yacht 


America’s  Cup  champion 


IT’S  TIME  FOR  EXPENSIVE 


TO  GET  REACQUAINTED  WITH  VALUABLE. 


Mercury  Interactive  can  transform  your  IT  systems  from  an  expense  into  a  valuable  asset. 

Your  company’s  software  applications  and  IT  infrastructure  are  a  huge  investment.  And  now  there’s  a  way  to  get 
more  value  out  of  your  existing  information  technology.  It’s  called  Business  Technology  Optimization  (BTO).  It’s  the 
way  to  maximize  the  quality  of  your  IT-enabled  business  processes,  minimize  IT  expenditures,  and  increase  the 
return  on  your  existing  IT  systems.  Mercury  Interactive’s  Optane™  is  the  world’s  first  BTO  software  suite.  Optane 
enables  you  to  optimize  the  entire  technology  lifecycle  —  including  testing,  production  tuning  and  performance 
management.  Mercury  Interactive  is  one  of  the  top  software  companies  in  the 


world  and  75%  of  the  Fortune  500  already  use  our  software.  To  optimize  your 
business  technology,  visit  www.mercuryinteractive.com/bto6 


©2003  Mercury  Interactive  Corporation.  Mercury  Interactive,  the  Mercury  Interactive 
logo  and  Optane  are  trademarks  or  registered  trademarks  of  Mercury  Interactive 
Corporation  in  the  United  States  and/or  select  foreign  countries. 


trendlines 


On  the  Move 


By  Meridith  Levinson 


Destination  Anywhere 


ALEX  ZOGHLIN  (left)  has 
hit  the  road.  Last  month 
he  left  his  post  as  CTO 
of  Orbitz  after  a  three- 
year  tenure  with  the 
online  travel  agent.  He  is 
credited  with  using  pro¬ 
prietary,  low-cost  technology  to  design  the 
online  booking  platform  that  connects 
Orbitz.com  directly  to  the  airlines’  internal 
host  systems.  Orbitz  had  not  named  a  suc¬ 
cessor  at  press  time,  but  it  had  retained 
executive  search  firm  Blackbird  Partners  to 
find  a  replacement.  Zoghlin  didn’t  say 
where  his  travels  were  taking  him. 

Too  bad  Orbitz  can’t  recruit  Stuart  Wal¬ 
ters  to  succeed  Zoghlin.  Walters’  experi¬ 
ence  in  the  travel  and  e-commerce  business 
would  make  him  a  suitable  match.  Walters 
was  hired  in  January  as  the  new  CIO  of 
Opodo,  the  Pan-European  online  travel 
portal  launched  by  nine  European  airlines 
(Aer  Lingus,  Air  France,  Alitalia,  Austrian 
Airlines,  British  Airways,  Finnair,  Iberia, 
KLM  and  Lufthansa).  Prior  to  working  for 
Opodo,  Walters  consulted  for  online  travel 
agencies  while  he  was  employed  by  IT  serv¬ 
ices  company  Nascence.  Before  that,  he 
was  COO  of  U.K. -based  online  travel 
agent  Dreamticket.com  and  IT  director  for 
Airtours  UK  Leisure  Group. 

In  other  news  from  the  travel  industry, 
America  West  promoted  its  CIO,  Joseph 
Beery,  to  senior  vice  president  and  CIO. 
Beery’s  promotion  comes  amid  an  execu¬ 
tive  reorganization  at  the  airline  that 
includes  the  promotions  of  two  other  cor¬ 
porate  officers  and  the  resignation  of  the 
company’s  executive  vice  president.  On  the 
other  side  of  the  globe,  Air  New  Zealand 
named  Robert  Fyfe  as  its  new  CIO.  Fyfe 
most  recently  served  as  COO  and  manag¬ 
ing  director  of  ITV  Digital. 


CIOs  in  HR? 

More  companies  are  adding  HR  responsi¬ 
bilities  to  their  CIOs’  already  full  plates.  Last 
March,  Kenneth  M.  Smith  started  juggling 
his  CIO  responsibilities  with  his  new  function 
as  chief  human  resources  officer  for  Poly- 
One,  a  polymer  services  company.  Also  in 
March,  Gaylord  Entertainment,  the  hospi¬ 
tality  and  entertainment  company  that  oper¬ 
ates  the  Grand  Ole  Opry,  named  former  IT 
head  Karen  Spacek  to  the  position  of  senior 
vice  president  of  HR,  training  and  develop¬ 


ment,  and  corporate  com¬ 
munications.  Replacing 
Spacek  in  Gaylord  Enter¬ 
tainment’s  top  IT  spot  is 
Rickie  E.  Hall  (left),  who 
comes  from  ANC  Rental, 
the  car  rental  company  that 
operates  the  National  and  Alamo  brands. 

Fiscal  Fitness 

Bally  Total  Fitness,  the  operator  of  nearly 
420  upscale  gyms  around  the  world,  put 
Gail  Holmberg  in  charge  of  trimming  the 
fat  from  the  company’s  IT  organization. 
Holmberg,  a  veteran  of  Sears,  will  report  to 
Bill  Fanelli,  Bally’s  senior  vice  president  of 
finance. 


PROFILE:  THE  CIO’S  CFO 


RICK  PUCKETT’S  I.T.  BACKGROUND  makes  him  the 
type  of  CFO  every  CIO  dreams  about.  The  49-year- 
old  vice  president  (right),  CFO  and  treasurer  of 
United  Natural  Foods,  a  $1.18  billion  distributor  of 
natural  and  organic  products,  has  eight  years  of  IT 
experience.  Prior  to  joining  the  company  last  Janu¬ 
ary,  Puckett  served  as  CIO  for  Suntory  Water  Group, 
a  bottled  water  distributor.  He  was  also  responsible 
for  IT  at  General  Cable  and  Misco  North  America. 

Because  he’s  worn  both  the  CIO  and  CFO  hats,  the 
soft-spoken  Puckett  has  a  unique  perspective  on  the  differences  between  the  two 
roles,  how  tension  can  arise,  and  how  it  should  be  diffused.  He  believes  conflicts 
between  CIOs  and  CFOs  stem  from  the  different  time  frames  in  which  they  operate. 
CFOs  live  in  a  world  of  monthly  reports  and  quarterly  earnings.  CIOs,  on  the  other 
hand,  deal  with  IT  projects  over  several  months,  if  not  several  quarters. 

Conflicts  also  flare  up  over  ROI  (no  surprise  there).  When  Puckett  took  over  as 
CIO  of  Suntory’s  IT  staff  of  65  employees,  they  were  wary  because  “they  thought  they 
were  going  to  have  to  do  ROIs  for  everything,”  he  says.  Puckett  won  them  over  by 
focusing  on  what  they  could  learn  from  each  other  and  by  sharing  the  goal  of  making 
IT  an  integral  part  of  the  corporate  strategy.  They  were  able  to  save  $1.5  million  by 
consolidating  systems,  eliminating  redundant  services  and  designing  a  more  effi¬ 
cient  network.  He  still  made  his  staff  do  ROIs,  though.  "That's  what  we  should  be 
doing  in  the  CIO  role,"  he  says.  "Having  a  sensitivity  for  what  things  cost  and  how 
things  benefit  the  company  in  terms  of  ROI  is  a  very  positive  thing.” 


www.cio.com 


MAY  1,  2003  CIO  3  3 


©2003  Sun  Microsystems,  Inc.  All  rights  reserved.  Sun,  Sun  Microsystems,  the  Sun  logo  and  iForce  are 
trademarks  or  registered  trademarks  of  Sun  Microsystems.  Inc.  in  the  United  States  and  other  countries. 


EVALUATE 


BRAINSTORM  PROTOTYPE  &TEST 


iForce“  Solution  Centers  help  you  bring  your 
concept  to  life  faster,  with  less  risk. 

The  window  of  opportunity  to  unleash  a  competitive 
advantage  is  only  open  for  so  long.  But  at  the  global  network 
of  iForceSM  Centers,  you’ll  find  the  resources  you  need  to 
greatly  shorten  the  distance  between  concept  and 
implementation  of  your  business  computing  solutions. 
So  you  can  get  ideas  to  market  faster  than  ever  before. 

The  iForce  Community  gives  you  access  to  hundreds 
of  pre-existing  reference  architectures  and  solutions 
developed  by  Sun  and  world-class  partners.  With  these 


resources  at  your  disposal,  you  can  literally  shave  weeks 
off  your  development  time  and  ensure  seamless 
integration.  And  because  these  architectures  have  been 
tested  in  the  real  world,  you  can  also  greatly  reduce  risk. 

At  iForce  Centers  you  can  prototype,  test  and  unleash 
new  technology  initiatives  on  the  exact  hardware  and 
software  configurations  they  will  ultimately  be  deployed 
on.  Before  you  pay  for  the  final  product. 

The  end  result?  You  can  get  your  concept  to  market 
before  your  competitors  know  what  hit  them.  Why  not 
use  iForce  to  stay  three  steps  ahead  of  the  pack? 


Learn  more  about  iForce  and  browse  our  online  directory  of 
industry-specific  solutions.  Visit  SUN.COM/WHYNOT 


A, 


microsystems 
We  make  the  net  work. 


WHY  NOT? 


WHAT  IS  THE 


"Offshore 

Outsourcing 

YOU  NEED  TO  GET  SMART  FAST 


Which  countries  should  you  consider?  What  is  the  best  way  to 
get  in— and  out  of— a  deal?  Should  you  work  with  an  offshore 
broker?  How  can  you  effectively  work  with  foreign  agents  and 
limit  political  risks?  Turn  to  the  CIO  FOCUS™  on  OFFSHORE 
OUTSOURCING:  NAVIGATING  THE  OPPORTUNITIES  AND 
RISKS— actionable  information  created,  filtered  and  packaged  by 
the  award-winning  editors  of  CIO  magazine. 


CIO  FOCUS™  is  delivered  right  to  your  desktop  giving  you 
immediate  access  to  the  information  you  need.  And  for  your 
future  reference  needs,  the  electronic  file  is  followed  by  a 
packaged  version,  shipped  within  72  hours.  Available  now  at 
an  introductory  price. 


CIO  FOCUS™ 

IT  Value:  Measurement  Tools 
and  Techniques  That  Work 

Software  Vendor  Relationships: 
Selecting,  Vetting  and  Managing 
Partners 

The  Elite  CIO:  Principles 
and  Practices  of  Top-Tier 
IT  Leadership 


CIO  FOCUS" 

STRATEGIC  GUIDES  FOR  EXECUTIVE  DECISION  MAKING 


The  Resource 
for  Information 
Executives 


FOR  EXECUTIVE  DECISION-SUPPORT  TOOLS,  VISIT  THE  CIO  STORE-THE  CIO'S  KNOWLEDGE  MARKETPLACE. 

www.TheCIOStore.com 


I 


Case  Study 

RHYTHM  &  HUES 


COMPUTER  ANIMATION  STUDIO  CONQUERS  ITS 

Information  Storagg 
Challenge 


identifying  the  files  containing 
the  scenes  they  needed.  They 
then  would  proceed  to  con¬ 
struct,  revise,  store  and  even¬ 
tually  move  the  scenes  to  film 
for  the  firm's  client  list  of 
movie-makers,  commercial 
creators  and  theme-park  ride  operators. 

Most  of  the  roughly  250  artists  were 


BlueArc  absolutely  delivered  what 
it  promised  to  Rhythm  &  Hues. 

— Mark  Brown 


Prologue 

Daredevil  and  Babe  the  talking  pig  were  pow¬ 
erless  to  solve  the  mounting  data  storage 
problems  encountered  by  Rhythm  &  Hues 
Studios,  the  computer  animation  and  visual 
effects  shop  that  helped  bring  these  movie 
heroes  to  life. 

That  titanic  task  fell  squarely  on  the 
shoulders  and  IT  staff  of  Mark  Brown, 
VP/technology  of  the  Marina  Del  Rey,  Calif.- 
based  firm,  which  in  the  mid-’90s  won  an 
Academy  Award  for  its  groundbreaking  visual 
effects  in  the  film  Babe.  Lacking  superhuman 
powers,  Brown’s  group  still  managed  to  save 
the  day  by  pulling  off  a  sweeping  storage 
infrastructure  overhaul  with  advanced  net- 
work-attached  storage  (NAS)  systems  linked 
to  bigger-bandwidth  backbone  connections. 

“We’re  a  storage-centric  business,” 
explains  Brown.  “Yes,  we  do  art,  but  our 
infrastructure  is  all  based  around  our  use  of 
storage,  which  is  our  lifeblood.”  The  move¬ 
ment  and  storage  of  huge  graphics  files  by 
Rhythm  &  Hues’  450  artists,  producers  and 
support  staff  have  pushed  the  firm  to  10  ter¬ 
abytes  of  storage  today — and  an  estimated 
40  to  50  terabytes  within  two  years. 

To  overhaul  this  storage  infrastructure, 
Brown  and  his  staff  needed  to  set  a  new  bar 
for  storage  and  networking  tasks.  These  tasks 
would  revamp  the  core  business  process 
to  better  serve  workers  and  customers 
while  achieving  critical  performance  and 
financial  goals. 

SCENE  1:  The  Challenge 

Prior  to  the  infrastructure  overhaul,  R&H 
artists  would  start  their  day  by  logging  in  via 
their  1  OOMbit/sec  Fast  Ethernet  pipes  and 

rWTB 

Custom  Publishing 


accessing  and  working  on  the  same  scene 
files,  which  were  continually  increasing  in 
size  while  infrastructure  bandwidth  and  stor¬ 
age  stayed  the  same.  Increasingly,  this  prac¬ 
tice  caused  network  and  server  bottlenecks — 
resulting  in  delays— as  the  pipes  and 
attached  devices  became  overloaded.  The  bot¬ 
tlenecks  in  turn  caused  expensive  downtime. 

“When  workers  are  idle,  just  staring  at  the 
walls,  that  costs  us  real  money,  as  90%  to 
95%  of  our  costs  are  labor,”  Brown  says. 
“Coming  to  a  grinding  halt  is  a  very  painful 
experience,  especially  toward  the  end  of 
projects,  when  artists  work  seven  days  a 
week  to  make  deadlines.”  The  company 
already  runs  a  three-shift,  24-7  operation. 

To  tackle  this  bottleneck/downtime  chal¬ 
lenge,  Brown  and  his  staff  leapt  into  action. 
They  knew  from  the  outset  that  failure  to 


BLUUE-ARC  Corporation,  a  leader 
in  high-performance,  highly  scalable 
network  attached  storage  (NAS),  has 
created  a  SiliconServer  Architecture 
that  delivers  the  world's  only  file  server 
designed  to  scale  beyond  today's 
1  Gbps  networks  toward  tomorrow's 
10  Gbps  networks.  BlueArc's 
SiliconServer  Architecture  moves  soft¬ 
ware  into  programmable  hardware  and 
removes  the  bottlenecks  that  limit  per¬ 
formance  in  other  NAS  systems  on  the 
I  market  today. 


address  storage  and  networking  needs 
would  result  in  decreased  productivity  and 
increased  customer  retention  and  acquisition 
costs  in  an  already  competitive,  price-con¬ 
scious  and  deadline-driven  industry. 

The  group  decided  to  install  NAS  systems 
that  could  deliver  the  highest  availability  and 
performance,  as  well  as  support  super-high 
capacity  network  connections,  all  at  an  attrac¬ 
tive  price,  and  all  deemed  critical  in  support  of 
new  high-end  workstations  that  would  be  five 
times  faster  than  their  predecessors. 

“Any  time  we  can  make  a  purchase  of 
storage  technology  that  effectively  enhances 
our  ability  to  do  things  faster,  do  things  better 
and  with  less  human  intervention,  that’s  sure 
better  for  us,”  says  Brown.  The  newest  desk¬ 
top  computers — dual-processor  workstations 
running  Linux  and  equipped  with  80-gigabyte 
hard  drives — have  indeed  helped  the  artists 
work  faster,  better  and  more  independently. 

In  evaluating  NAS  systems  vendors, 
including  BlueArc  Corp.,  Network  Appliance, 
Scale8  and  Zambeel,  Brown  focused  on  four 
criteria:  performance,  cost,  bandwidth  and 
custom  solutions.  “We  needed  a  vendor  that 
realizes  we’re  not  a  one-trick  pony,”  Brown 
says.  “We  don’t  necessarily  always  need  just 
an  off-the-shelf  piece  of  equipment— 
we  need  something  that’s  tailored  to  our 
environment.” 

SCENE  2:  The  Choice 

In  the  end.  innovation  won  out.  Brown  and 
staff  selected  BlueArc's  SiliconServers,  large¬ 
ly  because  they  use  an  innovative  architec¬ 
ture  designed  to  send  server  performance 
skyward  by  putting  functionality  not  in  soft- 


I 


CIO  ADVERTISING  SUPPLEMENT 


ware  (as  ils  rivals  do),  but,  in  programmable 
hardware — a  key  difference  the  vendor  says 
triples  device  performance. 

"The  BlueArc  server  architecture  gives 
you  NAS  on  steroids  by  deliver¬ 
ing  a  big  boost  in  speed  and  a 
marked  acceleration  of  through¬ 
put,"  says  Brown,  whose  firm 
now  uses  four  of  the  vendor’s 
NAS  servers.  When  connected  to 
R&H's  Extreme  Networks 
switches  using  1  Gigabit 
Ethernet  backbone  pipes,  the  boxes  register 
higher  performance  statistics  over  the  com¬ 
pany’s  prior  system  configurations.  Among 
the  benefits: 


$100,000  server  to  handle  the  extra  load: 

•  The  minimal  administration  and  mainte¬ 
nance  required  by  the  BlueArc  servers  means 
that  R&H  can  avoid  hiring  the  three  full-time 


directly  with  their  engineering  team,”  says 
Brown.  "We  had  one  or  two  engineers  here  at 
almost  all  times,  and  they  were  constantly  on 
the  phone  with  us.  They  worked  with  us 


ltrs  not  good  enough  to  drop  a  product  in  and  say,  'Here  you  go/  The 
thing  we  had  with  BlueArc  was  when  the  product  came  in,  they  worked 
closely  with  us  to  make  sure  the  product  matched  our  expectations. 

— Mark  Brown 


,  the  15-year-old 

computer  animation  and  special  effects 
studio,  gained  top  industry  recognition  in 
the  mid-1990s  for  its  work  on  Babe,  the 
film  about  a  talking  pig,  which  earned  the 
firm  an  Academy  Award. 

Since  then,  the  Marina  Del  Rey, 

Calif. -based  company  has  worked  on 
such  big  screen  hits  as  The  Sixth  Day, 
Daredevil,  Scooby-Doo,  Behind  Enemy 
Lines,  Men  In  Black  II,  The  Sum  of  All 
Fears  and,  most  recently,  X-Men  2.  The 
firm  has  done  the  same  work  for  such 
television  commercial  characters  as  the 


Performance  Improvements 

•  The  size  of  file  reads  and  writes  have 
more  than  doubled,  from  45  megabyte  reads 
and  20  megabyte  writes  per  second  to  1 10 
megabyte  reads  and  90  megabyte  writes 
per  second: 

•  A  selected  scene  file  requiring  ASAP 
rendering  took  six  hours  before  the  overhaul, 
but  only  1 5  minutes  afterward; 

•  The  cost  per  megabyte  of  storage  for 
R&H  plummeted  50%  to  5  cents  per 
megabyte: 

•  Backbone  bandwidth  more  than  tripled. 

Cost  Avoidance 

•  R&H  can  add  1.5  terabytes  of  storage 
across  the  three  BlueArc  boxes  for 
$25,000,  one-quarter  the  cost  of  buying  a  new 


workers  Brown  estimates  would  be  needed  to 
support  products  using  direct-attached  stor¬ 
age  (DAS)  or  storage-area  network  (SAN) 
systems; 


Geico  lizard,  the  Coca-Cola  polar  bears, 
and  for  the  StarTrek  experience  setup  in 
Las  Vegas. 

Mark  Brown  entered  the  field  of  visual 
effects  in  1993.  He  brought  20  years  of 
technical  expertise  to  R&H,  and  claims  he 
wouldn't  change  his  career  decision  for 
all  the  money  in  the  world, 

“It’s  just  so  amazingly  cool  and  fulfill¬ 
ing  to  watch  a  movie  we’ve  worked  on  and 
get  listed  in  the  credits,”  smiles  Brown. 
“And  the  company  receiving  an  Academy 
Award  for  its  talking  animal  work  in  Babe 
was  a  watershed  event.” 

For  more  information  about  Rhythm  & 
Hues,  visitwww.rhythm.com. 


•  Staying  with  a  NAS  system  architecture 
enabled  R&H  to  avoid  having  to  buy  additional 
hardware  needed  to  switch  to  a  SAN  scheme, 
which  Brown  says  was  not  best  suited  to  the 
firm’s  business  process. 

Brown  won’t  quantify  the  “substantial” 
savings  R&H  realized  by  choosing  the 
BlueArc  servers  over  competing  NAS 
servers,  but  he  does  stress  the  business 
benefits  of  the  savings  combined  with 
the  expenses  avoided.  “[These  savings] 
are  passed  along  to  customers  in  the 
form  of  lower  rates  for  our  services,  and 
help  us  stay  in  the  hunt  in  the  bidding  for 
new  business.” 

Another  key,  differentiating  value  brought 
by  BlueArc:  partnership.  “When  we  first 
started  working  with  BlueArc,  we  worked 


extremely  closely  over  six  months  to  make 
sure  that  the  product  fit  our  needs,  and  our 
needs  didn’t  just  fit  the  product.” 

The  partnership  also  extended  to  R&H’s 
top  networking  vendor,  Extreme  Networks, 
which  makes  the  switches  to  which  the 
SiliconServers  are  linked.  BlueArc  worked 
closely  with  Extreme  to  ensure  that  their 
respective  products  worked  smoothly 
together,  even  after  Brown's  group  asked  the 
server  maker  to  add  some  enhancements  to 
its  systems. 


SCENE  3:  The  Climax 

On  the  first  day  after  the  full-day  installa¬ 
tion,  the  BlueArc  box,  a  1.5  terabyte  system, 
was  put  into  service.  Within  just  12  hours, 
Brown  recalls,  workers  had  filled  1.2 
terabytes,  and  people  were  happy.  The 
downtime  was  gone.  “It  allowed  us  to  remove 
all  our  data  bottlenecks,  which  meant  my 
system  administration  team  could  go  on  to 
dealing  with  other  things  instead  of  having  to 
deal  with  day-to-day  trivial  aspects  of  data 
bottlenecks.” 

Brown’s  bottom  line:  He’s  solved  today’s 
daunting  data  bottleneck  problems  with  a  sys¬ 
tem  designed  to  work  well  into  the  future — 
which  includes  the  likely  use  of  emerging  10 
Gigabit  Ethernet  networking  technology  to  link 
SiliconServers.  That  solution,  Brown  says, 
“frees  us  to  put  more  work  into  the  art  and 
less  work  into  the  infrastructure.”* 


To  schedule  an  appointment  with  B  LU.-£“ARC 
to  discuss  your  organization's  2003  storage  plans, 
or  to  learn  more  about  how  BlueArc's  network 
attached  storage  products  and  services  can  save 
your  business  time  and  money,  please  visit 
www.bluearc.com/ciomag  or  call  1-866-864-1030. 


trendlines 


A  Smart  Card 
Day  in  Paris 

IN  PARIS,  IT’S  HARD  TO  IMAGINE  A  DAY  without  smart 
cards.  Invented  in  France  in  1979,  the  small  plastic  cards 
get  their  brains  from  a  computer  chip  that  can  be  pro¬ 
grammed  to  allow  consumers  to  chat  on  their  cell 
phones,  buy  baguettes  and  ride  the  metro.  Equipped  with 
a  password,  they  can  be  used  as  security  devices  at  office 
complexes  and  military  bases. 

While  smart  cards  have  been  slow  to  catch  on  in  North 
America,  Europe  built  its  banking  networks  using  the 
technology  instead  of  the  cheaper  magnetic  strip  cards 
U.S.  banks  favor.  To  convert  U.S.  banks  to  smart  cards 
would  cost  more  than  $12  billion,  according  to  analysts 
at  Frost  &  Sullivan.  But  as  security  concerns  mount,  U.S. 
banks  will  likely  make  the  switch,  says  Can  Elbi,  an 
Amsterdam-based  IT  hardware  analyst  for  Credit  Suisse 
First  Boston. 

The  following  is  a  look  at  how  smart  cards  pervade  a 
Parisian’s  life,  using  a  fictional  character  named  Isabelle 
who  works  as  a  computer  programmer  in  the  modern 
suburb  known  as  La  Defense  and  lives  with  her  husband, 
3-year-old  daughter  and  seven  smart  card  applications. 


7  a.m.  Isabelle  wakes  up  to  the 
ringing  of  her  cell  phone,  which  like 
all  GSM  (global  system  for  mobile 
communication)  phones  contains  a 
smart  card  chip.  It’s  her  boss  asking 
her  to  report  to  work  early.  This 
version  of  the  smart  card,  known  as  a 
Subscriber  Identity  Module,  or  SIM 
card,  can  be  moved  into  a  new 
phone,  allowing  the  userto  keep 
stored  information  such  as  directo¬ 
ries  and  voice  dialing  commands. 


6- 


7:25  a.m.  On  her  way  out  the  door, 
Isabelle  asks  her  husband  to  take 
their  daughterto  preschool.  Once 
outside,  Isabelle  steps  into  a  local 
boulangerie  and  pays  for  a  croissant 
with  her  Carte  Moneo,  a  so-called 
stored  value  card.  Moneo  lets 
consumers  store  up  to  100  euros 
(US$110)  on  the  card.  Isabelle  has 
Moneo  installed  on  her  regular  bank 
card  and  regularly  “charges  up”  the 
card  at  an  ATM. 


o- 


0- 


7:40  a.m.  Isabelle  sails  through  the 
metro  turnstile  with  a  swipe  of  her 
Navigo  smart  card.  (A  sensor  on  the 
turnstile  can  read  the  Navigo  pass  from  Q — 
a  distance  of  several  centimeters). 


8:15  a.m.  Our  heroine  arrives  at  work 
at  La  Defense.  She  waves  a  smart 
card  near  the  door’s  security  reader 
to  gain  access  to  her  office  building.  Q — 


8:30  a.m.  Isabelle  arrives  at  her 
meeting.  Her  boss  says  she  must  visit 
a  client  near  L'Opera  to  help  with  an 
unexpected  software  glitch. 


8:45  a.m.  Back  on  the  metro 
with  her  Navigo  card. 

9:25  a.m.  Isabelle 
arrives  at  the  offices 
of  Societe  Generale, 
a  French  bank  just 
next  to  L’Opera.  Before 
working  on  the  client's  glitch,  she 
needs  to  check  her  e-mail.  She  flips 
open  her  laptop,  connects  to  the 
Internet  and  inserts  a  smart  chip 
(which  she  stores  in  a  USB  plug 
carrier  on  her  key  chain)  into  the 


o- 


0- 


O- 


USB  slot  on  the  computer.  She  is 
authenticated  by  her  company’s 
network. 


11a.m.  Isabelle  has  solved  the 
software  glitch  and  says  au  revoir 
to  the  client.  She  calls  her  friend 
Natalie  and  makes  a  lunch  date  at 
the  bistro  Chartier.  When  she  pays, 
the  waiter  comes  to  the  table  with  a 
portable  card  reader.  Isabelle  types 
in  her  PIN,  and  the  money  is  auto¬ 
matically  transferred  from  her 
account  to  the  restaurant’s. 


2  p.m.  Back  in  the  office,  Isabelle 
gets  a  call  on  her  cell  phone.  It’s  the 
preschool  saying  her  daughter  has  a 
fever,  and  can  she  come  pick  her  up 
now. 


3:30  p.m.  Isabelle  takes  her  daughter 
to  the  pediatrician,  who  diagnoses 
an  ear  infection.  She  takes  a  pre¬ 
scription  for  antibiotics  to  the  local 
pharmacy  and  pulls  out  her  Carte 
Vitale,  a  smart  card  issued  by  the 
state  that  documents  health  cover¬ 
age  for  her  family. 


3:45  p.m.  On  the  way  back  home, 
Isabelle  and  her  daughter  pass  a  toy 
store.  They  duck  inside  and  Isabelle 
pays  a  few  euros  for  a  coloring  book 
using  her  Moneo  card. 


4:10  p.m.  Back  at  home,  Isabelle 
activates  her  cable  television  service 
so  that  her  daughter  can  watch 
cartoons.  The  cable  box  contains  a 
smart  card  that  lets  the  cable 
company  regulate  Isabelle’s  pro¬ 
gramming  remotely. 


7:30  p.m.  Isabelle's 
husband  calls.  He'll  be 
home  late.  With  her 
daughter  snoozing, 
Isabelle  opens  her 
laptop  and  logs  on  to 
her  company’s  network 
using  the  smart  chip.  She  opens  an 
e-mail  from  her  boss:  “System 
meltdown  at  Societe  Generale. 

Come  to  work  early  tomorrow." 

-Susannah  Patton 


O- 


o- 


www.cio.com  •  MAY  1,  2003  CIO  37 


trendlines 


Manage  IT 
as  a  Portfolio 

PORTFOLIO  MANAGEMENT  takes  a  holistic  view  of  a  company’s  IT  portfolio.  It 
compares  technology  investments  in  terms  of  risk  and  payoff  to  the  business  and 
then  helps  you  prioritize  investments  accordingly.  Survey  results  show  that  CIOs 
who  practice  IT  portfolio  management  get  a  higher  value  from  their  IT  dollars. 
A  recent  study  conducted  by  PRTM,  the  InterUnity  Group  and  CIO  found  that 
leading  companies  use  portfolio  management.  These  market  leaders  deploy  IT 
more  selectively  and  are  better  able  to  focus  their  IT  spending  on  technologies 
and  projects  that  support  the  company’s  business  strategy.  (For  more  on  this,  see 
“Portfolio  Management:  Flow  to  Do  It  Right,”  Page  56.) 

Two-thirds  of 
manage  IT 
as  a  portfolio. 

Theotherthird  still 
haven’t  gotten  the  message. 

SOURCE:  CIO'S  "THE  STATE  OF  THE 


65% 

MANAGE  I.T.  PROJECTS 
AS  A  PORTFOLIO  OR  SUITE 
OF  I.T.  INVESTMENTS 


35% 


CIO  2003"  SURVEY 


MANAGE  EACH 
PROJECT  SEPARATELY 


Best  Practices 

Trim  the  fat.  Define  application  strategy  top-down  and  by 
how  it  supports  business  goals.  Prioritize  the  portfolio  of 
potential  projects  in  accordance  with  business  priorities. 
Cancel  low-value  projects  and  direct  those  resources  to 
higher  priority  initiatives  to  achieve  greater  returns.  Many 
companies  overload  the  pipeline  with  the  belief  that 
more  projects  will  result  in  greater  output.  In  fact,  the 
opposite  is  often  true— overloaded  pipelines  can  lead  to 
longer  project  cycle  times  and  increased  waste. 

Know  where  to  invest.  Emphasize  technology  that  helps 
your  organization  make  better  decisions.  Market  leaders 
invest  more  heavily  in  tools  like  decision-support 
applications.  The  study  shows  that  some  companies 
have  a  lack  of  automation  in  some  areas  and  are  over- 
invested  in  others. 

Plan  ahead.  Maintain  a  rollingthree-yearroad  map  for  key 
process  and  system  platforms.  Update  your  plan  through¬ 
out  the  year  rather  than  creating  a  last-minute  portfolio 
60  days  to  90  days  before  the  budget  forecast  is  due. 


Companies  that 
are  market  leaders 
spend  the  same 
amount  on  IT  as 
other  companies, 

but  they  are  focused  on  fewer, 
more  strategic  projects.  Align 
yourself  with  these  companies 


Market  Leaders  Have  Less  in  the  IT  Pipeline 


MARKET  LEADERS  WERE  SELECTED 
ON  THEIR  OVERALL  BUSINESS  PER¬ 
FORMANCE  (REVENUE  GROWTH 
AND  PROFITABILITY)  AS  WELL  AS 
THEIR  BUSINESS  PERFORMANCE 
WITHIN  THEIR  RESPECTIVE  INDUS¬ 
TRIES  (REVENUE,  NET  INCOME, 
GROSS  MARGIN,  OPERATING 
EXPENSES  AND  MARKET  SHARE), 

SOURCE:  "OPTIMIZING  BUSINESS 
PERFORMANCE:  USING  I.T.  FOR 
COMPETITIVE  ADVANTAGE."  A 
JOINT  STUDY  SPONSORED  BY 
PRTM  AND  THE  INTERUNITY 
GROUP.  IN  CONJUNCTION  WITH 
CIO.  AUGUST  2002.  RESULTS  ARE 
BASED  ON  58  RESPONSES. 


Other  Companies  Assign  a  Separate  Budget  and  Schedule  to  Each  Project 


iMoHsilS 


f  Contact/ 

Call  center 
automation^^ 

Marketing 

campaign 

management 

Sales-force 

automation 

E-commerce/ 

EDI 

Self-service 

* 

ERP 

Procurement 

Supplier 

collaboration 

Logistics 

management 

Demand 

planning 

Project/ 

Portfolio 

management 

Resource 

management 

Engineering/ 

Design 

k  collaboration 

Wireless 

XML 

Web  services 

Security 

Portals 

_ i 

3  8  CIO  MAY  1,  2003 


www.cio.com 


Si  Remedy 

a  BMC  Software  company  " 


Help  Desk 


Out-of-the-Box 
Best  Practices 


Now  more  than  ever  you  need  to  control  costs.  Softwai'e  solutions  implemented  straight  out  of  the  box  may  appear  cheaper  and 
faster  to  implement. The  problem  is,  with  rigid  applications  dictating  how  you  run  your  business,  your  teams  risk  being  trapped 
inside  the  box. 

What  if  you  found  Service  Management  solutions  that  deliver  industry  best  practices-like  I  TIL-and  also  empower  you  to  implement 
the  unique  processes  that  maximize  the  value  of  your  IT  and  service  support  organizations?  With  Remedy,  you  have  it  all. 

Remedy’s  Service  Management  software  solutions,  including  Help  Desk,  Customer  Support,  Asset  Management,  and  Change 
Management,  deliver  out  of  the  box,  and  outside  the  box-quickly,  easily,  within  your  budget. 


Outside-the-Box 
Thinking 


www.remedy.com/advantage 

or  call  us  at  1.888294.5757 


Your  Business,  Your  Way.” 


You  want  to  think  outside  the  box. 
Your  budget  calls  for  “out  of  the  box.” 
Don’t  you  wish  you  could  have  both? 


ON  WEDNESDAY,  JAN.  29, 2003,  police  arrested  69-year-old  Gerald 
F.  Mason  for  the  murder  of  two  El  Segundo,  Calif.,  patrolmen.  In  1957. 

The  breakthrough  came  more  than  45  years  after  the  case  was  closed 
when,  after  receiving  an  anonymous  tip,  investigators  ran  fingerprints 
taken  from  the  car  they  believed  was  the  murderer’s  through  the  FBI’s 
new  national  fingerprint  database.  The  prints  from  the  car  matched  a  set 
of  Mason’s  on  file  in  South  Carolina  from  when  he  served  time  in  prison 

for  burglary  in  1956. 

On  March  24  in  Los  Angeles, 
Mason  pleaded  guilty  to  the 
murders  and  was  sentenced  to 
two  terms  of  life  in  prison. 

The  database,  which  went 
live  in  July  1999,  is  the 
culmination  of  10  years’  work. 
However,  says  FBI  spokesman 
Steve  Fischer,  the  idea  is  much 
older.  “The  FBI  has  been 
creating  a  national  fingerprint 
database  of  subjects  arrested 
for  criminal  offenses  since 
1924,"  he  says.  But  before 
1999,  this  fingerprint  library 
had  been  maintained  only  in 
hard  copy  form  on  fingerprint 
cards.  That  made  national 
searches  next  to  impossible. 
Now,  searching  a  set  of  prints 
against  the  45  million  on  file 
takes  only  a  couple  of  minutes. 

The  hands-on  work  for  the 
$640  million  database  started 
in  1995,  when  the  hard  copy  prints  were  converted  into  electronic  images 
and  then  compressed  to  one-fifteenth  their  original  size.  Currently  40 
terabytes  of  these  compressed  files  are  stored  on  CDs,  and  the  system 
searches  through  them  jukebox-style,  spinning  through  disk  after  disk 
looking  for  a  match.  It’s  decade-old  technology,  but  Fischer  says  it  was  the 
best  bang  for  the  buck  when  the  project  started. 

Of  course,  most  law  enforcement  agents  wouldn’t  care  if  a  man 
behind  a  curtain  was  pulling  levers  as  long  as  the  database  works.  The 
application  is  so  promising  that  Los  Angeles  has  reopened  3,000 
unsolved  homicides.  “The  message  is  this,”  said  El  Segundo  Mayor 
Michael  Gordon  after  Mason’s  arrest.  “If  you  commit  a  crime  in  this 
city— whether  it's  five  days  ago,  five  weeks  ago,  five  months  ago,  or  45 
years  ago-we  will  not  give  up  until  you  are  brought  to  justice.’’ 

-Ben  Worthen 


In  Los  Angeles  court  on  March  24, 
2003,  Gerald  Mason  pleaded  guilty 
to  the  murders  of  two  policemen 
in  1957.  A  national  fingerprint 
database  helped  investigators 
solve  the  case. 


Database  Cracks 
Murder  Case 


trendlines 


This  Date  in 

IT  History 


The  first  10  licenses  for 
commercial  television 
are  granted  on  this  day 
in  1941  by  the  FCC, 
NBC  owns  Channel  1, 
and  it  broadcasts  from  the  Empire 
State  Building  (above).  Sixty  days 
later,  4,000  TV  sets  around  New  York 
City  are  tuned  to  see  NBC’s  first 
telecast,  a  Brooklyn  Dodgers  versus 
Philadelphia  Phillies  baseball  game 
at  Ebbets  Field.  The  Phillies  win  6-4. 


8 


An  ocean  of  junk  mail  shuts  down  the 
computer  networks  of  high-profile 
spam  propagator  Cyber  Promotions 
for  20  hours  in  1997.  The  counterat¬ 
tack  against  the  company  and  CEO 
Sanford  Wallace,  a.k.a.  the  Spam  King, 
is  a  temporary  setback.  A  year  later, 
Wallace  closes  shop  and  becomes  a 
consultantto  spam  victims. 


A  longtime  ago  (1944), 
in  a  Modesto,  Calif., 
suburb  (far,  far  away), 
film  and  special  effects 
guru  George  Lucas  is 
born.  Just  after  his  18th  birthday, 
Lucas’s  seat  belt  snaps  and  he  is 
ejected  from  his  tumbling  vehicle 
moments  before  it  wraps  around  a 
tree  at  60  mph.  Lucas  awakens  in  the 
hospital  with  a  vision  of  a  three-part 
story  that  later  becomes  the  Star  Wars 
trilogy.  The  first  film  opens  in  1977. 


19 


The  Justice  Department  along  with 
20  states  file  an  antitrust  suit  against 
Microsoft  in  1998,  claiming  it  uses  its 
Windows  desktop  dominance  to 
suppress  competition.  Microsoft 
denies  the  charge  and  fights  the  suit. 
A  federal  judge  approves  a  settlement 
in  2002. 


20 


Referred  to  as  the  most  widespread 
digital  failure  ever,  the  Galaxy  4 
telecommunications  satellite  conks 
out  and  causes  tens  of  millions  of 


pagers  to  go  silent  in  1998.  A  majority 
of  the  pager  market  had  relied  on  the 
Galaxy  4  to  run  their  services.  Pager 
companies  scramble  to  link  their 
services  with  another  satellite. 


Adobe  Systems 
cofounder  and 
President  Charles 
Geschke  is  kidnapped 
in  1992  in  broad 
daylight  from  the  parking  lot  of  the 
Mountain  View,  Calif.,  company. 
Geschke’s  captors  set  the  ransom  at 
$650,000,  threatening  to  kill  him  and 
blow  up  his  home  if  their  demands 
aren’t  met.  Authorities  rescue 
Geschke  four  days  later,  unharmed. 
He  returns  immediately  to  his  post  at 
Adobe.  Later,  the  two  kidnappers  are 
sent  to  jail  for  life. 


28 


In  the  first  major  display  of  dissent 
since  the  Microsoft  antitrust  filing, 
Gateway  announces  in  1998  that  it 
will  modify  Windows  98  and  offer 
consumers  a  choice  of  Web  browsers. 
Microsoft  reluctantly  grants  permis¬ 
sion  to  Gateway  to  include  Netscape 
Navigator  on  the  desktop. 


31 


H  Apple  cofounder  Steve 
Jobs  loses  his  job  in 

Mac  division  in  a  power 
struggle  with  CEO 
John  Sculley  (above).  Ironically, 
Sculley,  a  proven  PepsiCo  leader,  had 
joined  the  company  in  1983  at  Jobs’ 
urging.  Sculley  remains  the  Apple 
CEO  until  1993.  Three  years  after 
that,  Jobs  returns  to  Apple  and 
reclaims  the  CEO  spot. 

-Daniel  J.  Morgan 


SOURCES:  WNBC.  BASEBALL 
ALMANAC,  THE  HISTORY  CHANNEL, 
FILMMAKERS.COM,  ULTIMATE  STAR 
WARS  SITE,  CNN.  THE  CENTER  FOR 
THE  STUDY  OF  TECHNOLOGY  AND 
SOCIETY,  ABOUT.COM,  SILICON 
VALLEY  STORY.  APPLE 


PHOTO  LEFT  BY  AP/WIDE  WORLD  PHOTOS 


ALASKA  AIRLINES 
CHOOSES  QWEST. 


Of  course  our  technology  played  a  role  in 
winning  the  business.  But  it’s  the  people  who 
come  with  the  technology  that  get  the  job 
done  right.  Because  we  are  passionate  about 
service.  That’s  why  Alaska  Airlines  looks  to 
Qwest  for  the  right  solution.  In  this  case, 
a  customized  If-healing  network  to  link 
their  Seattle-based  operations.  And  there’s 
a  real  relationship  here.  Because  we  share 
enthusiasm  for  their  success.  And  listen. 
Anticipate.  And  deliver.  It’s  a  little  something 
extra  called  the  Spirit  of  Ser  ice.  Actually, 
it’s  a  big  something.  And  it  separates  us  from 
the  rest  of  the  pack. 


Grace,  Sales  Engineer 
David,  Global  Account  Manager 

Qwest  Communications 


Spirit  of  Service 


LLii 

]  |] 

W 

L  U  ■ 

liici 

. 


To  find  out  how  we  can  put  the  Spirit  of  Service  to  work 

for  you,  visit  us  at  qwest.com  or  call  us  at  1  800-743-3793 


Service  not  available  in  all  areas.  ©2003  Qwest  Communications  International  Inc. 

i 


High 
Performance: 

Extremely 
responsive  to  the 
most  demanding 
business 
applications 


Longer 
Battery  Life 

Power-conserving 
technology 
enables  extended 
battery  life. 


intel.com 


The  Un wired  Office 
starts  inside. 


Introducing  Inter  Centrino”  mobile  technology. 
The  new  generation  of  laptop  technology 
engineered  to  unwire  your  business. 


jgK  Until  now,  the  promise  of 
a  truly  wireless  workforce 
/jJ.IJJi.I.J  has  been  just  that:  a 

promise.  Intel*  Centrino™ 
tech»“  mo|}i|e  technology  delivers 
on  that  promise  with  unprecedented 
levels  of  mobility  for  your  users 
and  an  easier  deployment  for  you. 
Intel  is  working  with  other 
industry  leaders  to  make 
wireless  networking  not  only 
reliable,  but  secure.  Intel  Centrino 
mobile  technology  is  compatible  and 
validated  with  Cisco  enterprise 
access  points.  And  Intel  continues 
to  work  closely  with  VeriSign, 
Check  Point  Software  and 
other  leading  technology  companies 
to  optimize  security  solutions. 
The  unwired  office  starts  inside. 


® 


©2003  Intel  Corporation.  Intel,  Intel  Inside  and  the  Intel  Centrino  logo  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries. 
Other  names  and  brands  may  be  claimed  as  the  property  of  others.  All  rights  reserved.  See  http://www.intel.com/products/centrino/more_mfo  for  more  information. 


Mohanbir  Sawhney 

Creating  Value  Through  IT 


Net  Gains 


How  to  Keep 
Tour  Customers 

Satisfied 

To  learn  if  end  users  are  happy,  you  have  to  ask 
the  right  people— and  the  right  questions 

JUST  AS  CUSTOMER  SATISFACTION  is  a  key  goal  for  companies, 
ensuring  end  users  are  satisfied  is  an  important  responsibility  of 
CIOs.  In  CIO’s  “State  of  the  CIO  2003”  survey,  63  percent  of 
respondents  said  they  regularly  measure  either  internal  or  exter¬ 
nal  customers’  satisfaction  with  IT’s  services.  But  only  36  per¬ 
cent  said  this  is  a  highly  effective  practice  for  adding  value  to 
their  business.  The  discrepancy  isn’t  surprising.  My  experience 
with  customer  satisfaction  measurement  in  the  technology 
industry  suggests  that  companies — and  by  extension  CIOs — 
often  talk  to  the  wrong  people  in  the  customer  organization  and 
measure  the  wrong  things.  If  you  aren’t  careful,  customer  sat¬ 
isfaction  measurement  could  be  doing  your  IT  organization 
more  harm  than  good.  Here  are  some  tips  for  getting  customer 
satisfaction  measurement  right. 

Measure  Success,  Not  Satisfaction 

Consider  the  experience  of  Trilogy,  one  of  the  largest  privately 
held  software  companies.  Trilogy  employed  a  classic  multivari¬ 
able  customer  satisfaction  measurement  system.  It  contracted 
respected  outside  companies  to  hone  a  40-point  index  address¬ 


ing  all  major  drivers  of  customer  satisfaction.  Semiannually, 
these  companies  would  survey  a  cross-section  of  customers  and 
analyze  and  report  this  data  to  management.  Trilogy  manage¬ 
ment  took  the  results  very  seriously.  Then  one  day,  only  a  week 
after  Trilogy  executives  were  congratulating  themselves  on  a 
key  customer’s  high  satisfaction  ratings,  a  senior  executive  from 
that  account  threatened  to  shut  down  its  project. 

What  went  wrong?  Trilogy  found  that  its  surveys  focused  on 
many  intermediate  metrics,  such  as  “Do  you  like  our  people?” 
or  “Are  we  easy  to  work  with?”  But  these  measures  shed  little 
light  on  the  end  result-.  Was  the  customer’s  experience  with  the 
software  project  a  success?  Trilogy  realized  that  customers  do 
not  care  about  the  technical  merits  of  the  software  or  the 
responsiveness  of  the  account  manager.  Customers  initiate  proj¬ 
ects  to  drive  specific  operational  and  financial  changes  in  their 
businesses.  The  only  thing  they  care  about  is  the  actual  business 


44  CIO  MAY  1,  2003  •  www.cio.com 


ILLUSTRATION  BY  JAMES  O'BRIEN 


Now  you  can  produce  better,  faster,  more  affordable  color  documents  -  with  the 
50  page-per-minute  ColorFORCE"  and  the  complete  line  of  color  printers  and  copiers  from 
Konica.  It's  revolutionary  technology  that  can  change  the  whole  tone  of  your  business. 

\lk  t  www.colorforce.com  for  a  closer  look.  Or  call  1-800-2- KONICA. 


ColorFORCE  and  'Change  the  tone'  are  trademarks  of  Konica  Business  Technologies,  Inc 


Mohanbir  Sawhney  I  Net  Gains 


value  delivered  by  the  vendor.  Trilogy  now  measures  customer 
success  on  a  set  of  “business  success  metrics”  established  jointly 
with  each  customer.  These  metrics  are  relevant  to  the  senior 
business  sponsor  and  are  designed  to  measure  the  value  deliv¬ 
ered  throughout  the  life  of  the  project. 

Don’t  Let  Averages  Lie 

Sometimes,  it’s  not  obvious  who  the  customer  really  is.  Enterprise 
technology  projects  involve  multiple  constituents  with  differing 
and  often  conflicting  objectives.  IT  investment  decisions  involve 
business  decision-makers,  IT  professionals,  finance  executives 
and  end  users.  These  audiences  may  define  value  differently. 

CIOs  should  work  to  understand  how  their 
customers  define  success. 

For  instance,  in  deploying  a  CRM  system,  the  IT  organiza¬ 
tion  may  care  about  ease  of  deployment  and  performance.  The 
finance  organization  may  emphasize  ROI.  The  end  users  may 
care  about  ease  of  use  and  adaptability  of  the  software  to  their 
needs.  Given  these  differences  in  priorities,  one  audience  could 
be  satisfied  while  another  is  unhappy  with  the  same  project.  An 
average  customer  satisfaction  score  will  completely  mask  these 
differences.  In  the  Trilogy  example,  the  IT  organization  was 
pleased  with  the  vendor,  but  the  business  sponsor  was  dissat¬ 
isfied.  And  because  the  business  sponsor  was  paying  the  bills, 
his  opinion  was  the  one  that  mattered. 


Loyalty  Is  Not  Satisfaction 

Just  because  your  customers  are  loyal,  it  doesn’t  mean  that 
they  are  satisfied.  A  recent  study  by  research  firm  Miller- 
Williams  of  33  companies  in  six  industries  found  that  loyalty 
does  not  correlate  perfectly  with  customer  satisfaction.  In  fact, 
the  study  found  a  negative  correlation  between  satisfaction  and 
loyalty  in  the  software  industry.  The  likely  explanation  is  that 
enterprise  software  has  high  switching  costs,  so  customers  are 
loyal  to  their  vendors  even  if  they  aren’t  happy.  Customers  of 
Microsoft  find  it  difficult  to  switch  from  Microsoft  Office  and 

Windows  because  the  com- 
CIO.COm  pany  dominates  the  desktop 

Are  your  customers  loyal  applications  and  operating 

because  they  have  no  systems  market.  As  I  tell  my 

choice?  Give  Mohanbir  friends  at  Microsoft,  there  is 

Sawhney  your  two  cents  a  difference  between  loyal 

customers  and  hostages.  As 
Microsoft  is  finding  out  with 
the  Linux  threat  in  the  server 
business,  the  true  test  of  loy- 


when  you  ADD  A  COMMENT 

to  this  column  online.  Find 
the  link  on  the  www.cio.com 
homepage. 


alty  is  to  retain  your  customers  when  they  have  a  real  choice. 

Replace  Ritual  with  Reality 

Sometimes,  customer  satisfaction  programs  take  on  a  life  of 
their  own.  Consider  the  auto  industry.  Dealers  of  luxury  autos 
often  reward  their  sales  personnel  based  on  customer  satis¬ 
faction  surveys.  However,  that  practice  has  unintended  conse¬ 
quences,  as  one  of  my  friends  discovered  while  buying  a  car 
from  an  Acura  dealer.  Even  before  the  customer  satisfaction 
survey  had  been  mailed  out,  the  sales  representative  hinted 
that  nothing  less  than  an  exceptional  rating  would  do.  Another 
example  of  good  intentions  gone  awry  comes  from  my  expe¬ 
rience  during  a  recent  stay  at  the  Sheraton 
World  resort  in  Orlando.  Sheraton  recently 
rolled  out  its  “Sheraton  Service  Promise.”  It 
pledges  to  compensate  guests  for  any  incon¬ 
veniences.  When  I  checked  into  my  room,  I 
found  that  the  toilet  was  leaky  and  would  not 
stop  running.  I  called  the  front  desk  and  was  offered  a  coupon 
for  a  free  breakfast.  But  when  I  returned  to  my  room  in  the 
evening,  the  toilet  still  hadn’t  been  fixed.  I  left  annoyed  early 
the  next  morning  without  having  time  to  eat  my  free  breakfast. 
As  far  as  Sheraton  was  concerned,  I  was  satisfied,  but  it  never 
solved  my  problem. 


Lessons  for  the  CIO 

The  same  ideas  for  satisfying  customers  of  a  company’s  prod¬ 
ucts  and  services  can  help  CIOs  serve  their  customers.  While 
service-level  agreements  (SLAs)  are  the  norm  for  managing 
relationships  with  external  IT  service  providers,  many  IT  organ¬ 
izations  don’t  have  internal  SLAs  that  define  expected  services 
to  end  users  and  penalties  if  those  service  levels  aren’t  met.  In 
addition,  CIOs  should  work  to  understand  how  their  customers 
define  success.  That  requires  a  close  partnership  with  end  users 
to  understand  the  business  outcomes  that  they  seek  and  the 
metrics  that  should  be  used  to  measure  business  value  from 
their  perspective.  Finally,  IT  organizations  should  not  forget 
that  business  units  aren’t  captive  customers  whose  loyalty  can 
be  taken  for  granted.  CIOs  who  can’t  satisfy  end  users  may 
find  their  jobs  on  the  line. 

Ultimately,  whether  you  deal  with  external  customers  or 
internal  customers,  the  only  way  to  make  yourself  successful  is 
to  make  your  customers  successful.  While  satisfaction  does  not 
guarantee  success,  customer  success  does  guarantee  customer 
satisfaction.  BE1 


Mohanbir  Sawhney  is  the  McCormick  Tribune 
Professor  of  Technology  at  Northwestern  University's 
Kellogg  School  of  Management.  He  can  be  reached  at 
mohans@kellogg.northwestern.edu. 


J 


4  6 


CIO  MAY  1,  2003 


w\Nw.c\o.com 


Only  PeopleSoft  Enterprise  Service  Automation  delivers  proactive  control  over  outside  services  spending. 

PeopleSoft  ESA  is  the  only  complete  solution  for  managing  the  expense  of  outside  contractors,  consultants,  and 
temps.  It  enables  you  to  know  exactly  who's  doing  what  and  how  much  it  is  costing.  And  PeopleSoft  ESA  matches  the 
right  skills  to  the  right  projects  in  real-time.  So  you  minimize  outside  services  spending,  while  maximizing  its  value. 

Learn  more  by  visiting  us  at  www.peoplesoft.com/esa  or  call  1-888-773-8277 


©  2002  PeopleSoft,  Inc.  PeopleSoft  is  a  registered  trademark  of  PeopleSoft,  Inc. 


PeopleSoft 


Customer  Relationship 
Management 


Supply  Chain 
Management 


Enterprise  Service 
Automation 


Financial  Management 
Solutions 


Human  Capital 
Management 


EVER  NEED  CONSULTANTS 
TO  FIGURE  OUT  HOW  MUCH 
YOUR  CONSULTANTS  COST? 


I  AM  A 
SOYBEAN. 

I  CAN  BUILD  YOUR  NEXT  HOUSE.  I  CAN  BE  MIXED  WITH 
RECYCLED  NEWSPRINT  TO  CREATE  AN  ECO-FRIENDLY 
CONSTRUCTION  MATERIAL.  I  HAVE  THE  POWER  TO  BE  STRONG. 
I  HAVE  THE  PHYSICAL  PROPERTIES  OF  WOOD.  I  HAVE  THE 
POWER  TO  MAKE  A  LOVELY  COFFEE  TABLE.  I  AM  MORE  THAN 
A  SOYBEAN. 


I  AM  A 
NETWORK. 

I  CAN  BUILD  INDUSTRIES  FROM  A  BEAN.  I  CAN  GIVE  REAL-TIME 
INVENTORY  UPDATES  TO  RETAILERS,  MANUFACTURERS  AND 
FARMERS  SO  NO  BEAN  IS  WASTED.  I  CAN  GUARD  SOY  SECRETS 
FROM  ECO-FRIENDLY  YET  RUTHLESS  COMPETITORS.  I  CAN  USE 
THE  POWER  OF  CONVERGED  DATA,  VOICE  AND  VIDEO  TO  TEACH 
A  GLOBAL  SALES  FORCE  ABOUT  THIS  VERSATILE  LEGUME.  I  AM 
MORE  THAN  A  NETWORK. 


'i 


THIS  IS  THE  POWER  OF  THE  NETWORK.  nOW. 


Cisco  Systems 


©  2003  Cisco  Systems.  Inc.  Ail  rights  reserved.  Catalyst,  Cisco,  Cisco  Systems, 
affiliates  in  the  U.S.  and  certain  other  countries. 


cisco.com/powernow 


IOS,  and  the  Cisco  Systems  logo  are  registered  trademarks  or  trademarks  of  Cisco  Syste 


Peer  to  Peer 

Field-Tested  Ideas  from  CIOs  for  CIOs 


How  to  Pass  the 

Stress  Test 

An  IT  executive  tells  the  story  of  his  own 
stress-related  breakdown  and  recovery,  and 
reveals  what  you  can  do  to  avoid  the  abyss 

BY  JOHN  L.  HAUGHOM 

THERE  IS  A  GREAT  SCENE  in  the  1990  movie  Days  of  Thunder.  Tom 
Cruise  is  a  race  car  driver  screaming  around  a  racetrack  in  a 
noisy  blur  of  smoke  and  color.  Coming  into  a  straightaway, 
he  puts  his  foot  right  to  the  floor.  The  car  roars,  the  tachome¬ 
ter  leaps  up  into  the  red,  and  the  engine  promptly  explodes.  The 
car  loses  all  speed  and  limps  to  the  side  of  the  track,  useless. 
Cruise  had  pushed  it  too  far,  and  as  a  consequence,  it  died. 

Unfortunately,  many  executives  in  the  business  world  have 
also  got  their  foot  to  the  floor,  unaware  that  burnout  lies  just 
around  the  corner.  The  consequences  can  be  disastrous  and 
costly,  not  only  for  the  individual  but  also  for  the  company. 

I  should  know.  For  more  than  25  years,  I  believed  I  could 
accomplish  just  about  anything  professionally.  And  I  often  did. 
Following  medical  school,  I  enjoyed  15  years  of  practice  before 
accepting  a  senior  leadership  role  in  PeaceHealth,  a  nonprofit 
health-care  organization  in  the  Pacific  Northwest.  My  job 
quickly  grew  until  I  had  responsibility  for  corporatewide  clin¬ 
ical  quality  and  all  information  technology  initiatives.  In  1994, 
PeaceHealth  launched  an  aggressive  campaign  to  implement 
an  advanced  IT  infrastructure  supporting  both  operations  and 


clinical  care.  The  centerpiece  of  the  effort  was  our  Commu¬ 
nity  Health  Record  project,  a  network  of  communitywide  med¬ 
ical  records  designed  to  support  patient  care  in  each  of  the 
communities  we  serve. 

Little  did  I  know  how  difficult  this  role  would  prove  to  be. 
Resistance  was  monumental  and  seemed  to  come  from  every¬ 
where  in  the  organization — from  skeptical  board  members  and 
executives  to  hostile  physicians.  My  workday  typically  began  by 
6  a.m.,  when  I  would  send  e-mails  and  return  voice  messages 
from  home.  Arriving  at  the  office  before  7:30  a.m.,  my  days  < 
were  characterized  by  a  blur  of  conference  calls,  tense  meetings  E3 
and  voluminous  e-mail  exchanges.  Around  7  p.m.,  I  would  * 
stagger  out  of  the  office  to  catch  a  quick  meal  with  my  wife,  “ 
before  heading  to  my  home  office  where  I  would  continue  5 
working  until  10  or  11  p.m.  My  four  sons  grew  accustomed  to  7 
not  seeing  their  dad  even  on  the  weekends.  d 


5  0  CIO  MAY  1,  2003  • 


www. cio.com 


mm 


m 


. 

msmmm 


lH  MlIlM  t 


&S&# 


-  ■  CV>-  ><•'-  ,-'■>.  Wv'-'V 

V.r>V:  >'.>'• 


8g 


l  i 


Ills 


.  .  .  •.  •'  .  • 


Dependable  technology  builds  confidence. 


When  you  set  out  to  conquer  e-business  challenges,  success  or  failure  often  hinges 
on  your  technology  partner.  Consider  the  partner  that  4  out  of  5  FORTUNE  500  ® 
companies  already  trust:  Sterling  Commerce.  With  a  25-year  track  record  of 
helping  businesses  successfully  improve  performance  and  operating  metrics, 
no  partner  is  more  dependable  or  more  knowledgeable. 


Integrating  existing  processes?  Developing  new  ones?  Building  entire  electronic 
trading  communities?  Look  to  us  for  dependable  software  and  services. 

It's  all  a  matter  of  confidence. 


sterling  commerce 


www.sterlingcommerce.com 


©2002  Sterling  Commerce,  Inc.  ALL  RIGHTS  RESERVED.  Sterling  Commerce  and  the  Sterling  Commerce  logo  are  trademarks  of  Sterling  Commerce,  Inc. 
Sterling  Commerce  is  an  SBC  Communications  Inc.  company. 


Peer  to  Peer 


Despite  the  resistance,  with  the  staunch  support  of  my  CEO, 
we  literally  moved  mountains.  In  roughly  four  years,  Peace- 
Health  went  from  virtually  no  automation  to  a  highly  advanced 
infrastructure  including  a  full-blown  electronic  medical  records 
system  supporting  care  in  all  of  our  hospitals  and  clinics  with 
nearly  everything  online. 

However,  managing  the  project  was  the  most  stressful  job  I 
had  ever  undertaken.  In  the  summer  of  2000,  my  engine 
reached  its  breaking  point. 

Each  night  I  would  lay  in  bed  and  replay  my  day  at  work, 
sleeping  only  a  few  hours.  At  the  office,  I  uncharacteristically 
began  snapping  at  people.  My  colleagues  began  wondering 
what  happened  to  the  affable,  mild-mannered,  resilient  “old 


John.”  Finally,  one  October  morning,  I  realized  that  I  could 
not  go  on.  I  literally  had  no  reserve,  finding  it  difficult  to  even 
get  out  of  bed,  much  less  manage  my  professional  responsibil¬ 
ities.  Admitting  this  to  myself  was  one  of  the  hardest  things  I 
have  ever  done,  but  it  was  also  one  of  the  most  important. 

My  boss,  the  corporate  CEO,  graciously  granted  me  a  three- 
month  sabbatical.  A  couple  of  days  into  it,  I  sought  profes¬ 
sional  help  from  the  Professional  Renewal  Center,  an  outpatient 
center  dedicated  to  helping  executives  deal  with  stress.  It  turned 
out  to  be  exactly  the  right  thing  to  do. 

The  Stress  Epidemic 

During  this  ordeal,  I  learned  that  I  was  far  from  unique.  The 
incidence  of  work-related  stress  is  rapidly  rising  in  today’s  high¬ 
speed  business  world.  With  greater  demands  at  work  and  new 
technology  that  blurs  the  boundary  between  home  and  job,  it 
is  increasingly  hard  to  “switch  off.”  Several  recent  studies  show 
that  stress  in  the  workplace  is  skyrocketing.  According  to  a 
new  study  by  the  National  Institute  for  Occupational  Safety 
and  Health,  more  than  half  of  working  Americans  view  job 
stress  as  a  major  problem  in  their  lives.  That’s  more  than  dou¬ 
ble  the  percentage  in  research  conducted  10  years  ago. 

Burned-out  workers  become  disillusioned,  frustrated,  resent¬ 
ful  and  aggressive.  Their  work  performance  may  shift  from 
impressive  to  barely  adequate,  or  they  may  leave  the  organiza¬ 
tion.  The  bottom  line  is  that  this  can  be  very  costly  for  com¬ 
panies,  especially  as  burnout  tends  to  target  employees  who 
are  highly  dedicated — just  the  workers  you  want  to  keep.  (To 
read  more,  see  “Staff  Alert”  on  Page  72.) 


I  was  lucky.  With  rest,  counseling  and  introspection,  I  redis¬ 
covered  myself  and  my  zest  for  life.  Equally  important,  I  learned 
vital  coping  and  stress  management  skills  that  have  allowed 
me  to  return  to  work  and  be  as  productive  as  before,  yet  with 
a  healthier  balance  of  my  professional  and  personal  life.  I  feel 
as  though  I  have  been  given  a  great  gift.  I  returned  to  work 
armed  with  new  insights  on  leadership.  I  learned  that  one’s 
ability  to  lead  is  not  strictly  based  on  MBA-like  skills.  The  effi¬ 
cacy  of  leadership  also  depends  on  how  you  respond  to  the 
demands  and  challenges  of  your  position,  internal  conflicts  or 
interpersonal  struggles.  By  better  understanding  myself  and  my 
response  to  my  environment,  I  was  vastly  better  prepared  to 
handle  the  complexities  of  my  role.  I  have  learned  that  if  a  sit¬ 
uation  begins  to  trigger  anxiety  or  stress,  I 
should  quickly  recognize  it  and  identify  the 
reason.  If  these  internal  conflicts  are  recog¬ 
nized,  they  are  almost  always  easy  to 
resolve,  allowing  me  to  focus  on  the  bigger 
picture.  This  has  allowed  me  to  approach 
even  the  most  complex  and  demanding 
situation  with  the  calm,  dispassionate 
demeanor  necessary  to  resolve  it.  In  addition,  I  have  learned  to 
manage  my  personal  life  as  rigorously  as  my  professional  life. 
This  includes  shutting  down  every  night  no  later  than  7  p.m.  to 
pursue  personal  interests,  and  religiously  guarding  my  weekends 
and  regular  vacations. 

By  demanding  this  balance  in  my  life,  I  have  become  more 
productive,  not  less.  Those  around  me  have  seen  a  noticeable 
difference.  Colleagues  have  complimented  me  on  my  equa¬ 
nimity  even  in  the  most  difficult  situations.  They  frequently 
comment  that  it  is  nice  to  see  the  “old  John”  back.  Many  have 
privately  told  me  they  admire  my  willingness  to  seek  help  and 
openly  share  my  experience. 

There  is  no  question  that  I  could  not  have  negotiated  this  sig¬ 
nificant  life  challenge  without  the  strong  and  unwavering  sup¬ 
port  of  those  around  me,  particularly  my  wife  and  family.  In 
addition,  many  PeaceHealth  colleagues  were  supportive,  espe¬ 
cially  my  boss,  PeaceHealth  CEO  John  Hayward.  Without  his 
commitment  and  support,  it  is  much  less  likely  that  my  journey 
toward  recovery  would  have  been  successful. 

A  year  ago,  PeaceHealth  launched  an  initiative  to  improve 
the  patient  experience  and  help  reduce  stress  among  its  employ¬ 
ees.  In  my  case,  PeaceHealth  fulfilled  that  mission  in  a  deeply 
personal  way.  For  that,  I  will  always  be  indebted.  HE3 


John  L.  Haughom  is  senior  vice  president  of  health¬ 
care  improvement  at  PeaceHealth,  a  private  network 
of  hospitals  in  the  Pacific  Northwest.  If  you  have 
stressful  stories  you’d  like  to  share,  contact  Executive 
Editor  Alison  Bass  at  abass@cio.com. 


In  the  summer  of  2000,  my  engine  reached  its 
breaking  point.  One  morning,  I  found  it  difficult 
to  even  get  out  of  bed. 


5  2 


CIO  MAY  1,  2003 


www. cio.com 


flTY  < 

IMPERATIVE 


HE  ROI  OF  SECURITY 


W  RULES  &  REGS  p.8 


AL  SOLUTIONS  p,12 


EMERGING 
TECHNOLOGIES, 
EMERGING  RISKS  p.18 


THE  VALUE  OF  PRIVACY 

p.20 


BUSINESS  CONTINUITY 

p.22 


SECURITY  THREATS  &§US 
CONTINUITY  CHALLENGES 


Custom  Publishing 
Advertising  Supplement 


-vx  •  •- 


Secure  technology  provides  peace  of  mind 


When  you  set  out  to  secure  your  e-business  communications,  success  or  failure 
often  hinges  on  your  technology  partner.  Choose  a  partner  that  4  out  of  5 
FORTUNE  500®  companies  already  trust:  Sterling  Commerce.  Sterling  Commerce 
provides  a  complete  line  of  solutions  for  securely  moving  business  data  within  an 
organization  or  outside  to  customers  and  business  partners. 

To  learn  more  about  the  importance  of  security  in  industry,  please  visit  us  at 
4  www.sterlingcommerce.com/go/cio  before  May  30,  2003.  The  first  100  visitors 
will  receive  a  free  copy  of  the  popular  hardcover  book,  Network  Security:  PRIVATE 
Communications  in  a  PUBLIC  World,  by  Charlie  Kaufman. 


J  sterling 


commerce 


©2003  Sterling  Commerce,  Inc.  ALL  RIGHTS  RESERVED.  Sterling  Commerce  and  the  Sterling  Commerce  logo  are  trademarks  of  Sterling  Commerc 
Sterling  Commerce  is  an  SBC  Communications  Inc.  company. 


•  >r.  . 


T- 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK 


THE  AGENDA 


THE  #1  TOPIC  ON  LEADERS’  MINDS 


eicome  to  the  new 
year  of  Strategic 
Directions  —  and  to 
what  we  call  the  “new 
reality  check”  of  man¬ 
aging  information 
security  threats  and 
business  continuity 
challenges. 

Strategic  Direc¬ 
tions  is  the  ongoing  series  of  CIO  and 
CSO  supplements,  produced  by  CXO 
Media’s  Custom  Publishing  group, 
focusing  on  the  key  business-critical 
technologies  and  solutions  of  the  day. 
Through  research,  analysis,  case  stud¬ 
ies  and  vendor  profiles,  Strategic  Direc¬ 
tions  provides  an  executive-level  primer 
to  the  hot  topics  on  the  minds  of  sen¬ 
ior  IT  and  business  leaders. 

And  no  topic  is  hotter  right  now 
than  security. 

How  many  times  has  one  of  your 
networks  or  systems  been  attacked  in 
the  last  year?  What  happens  if  your  web¬ 
site  goes  down  for  even  an  hour,  or  if  a 
key  corporate  database  goes  offline  for 
a  day?  What  will  the  interruption  cost 
your  organization? 

And  what  about  your  partners  and 
suppliers?  Can  your  operations  survive  a 
failure  in  telecom  services  or  DNS 
servers? 

This  Strategic  Directions  supple¬ 


ment,  the  first  in  2003,  looks  at  what  it 
takes  to  protect  the  enterprise’s  ability 
to  fulfill  its  mission  —  the  strategies, 
tools  and  techniques  CIOs  and  CSOs 
need  to  secure  information  systems, 
applications  and  networks  from  attack 
and  failure,  accompanied  by  best-prac¬ 
tices  advice  and  in-the-trenches  case 
studies  of  what  works  and  what  doesn’t. 

Among  the  topics  we  tackle  in  dais 
edition: 

■  DEALING  WITH  NEW  TECHNOLOGIES: 

They’re  way  cool  and  creeping  inex¬ 
orably  into  the  enterprise,  but  they’re 
also  dangerously  insecure.  Should  you 
ban  them  or  find  ways  to  embrace  them? 
Whatever  you  do,  don’t  ignore  them. 

■  RETHINKING  YOUR  SECURITY  STRATEGY: 
What  you  can  do  to  protect  your  enter¬ 
prise  now. 

■  SOLUTIONS  THAT  EASE  THE  PAIN:  Simpli¬ 
fying  security  management;  multifunc¬ 
tion  appliances;  authentication  alterna¬ 
tives  and  more. 

■  THE  PUSH  FOR  PRIVACY:  Dos  and  don’ts 
that  keep  customers  in  the  fold. 

■  CONTINUITY  PLANNING:  As  demand  for 
the  real-time  enterprise  grows,  so  does 
an  appetite  for  high-availability  and 
fault-tolerant  systems. 

■  ROI  CHECK:  Steps  you  can  take  to  cut 
security  overhead  and  prep  systems 
and  networks  for  future  security 
investments. 


Read  on.  Take  notes.  Tear  out 
pages.  Contact  our  sponsors  for  more 
information.  And  please  let  us  know 
what  you  think  —  about  Strategic 
Directions  in  general,  this  edition  in  par¬ 
ticular  and  ideas  you’d  like  us  to  tackle 
in  future  editions.  Got  any  best-practices 
you’d  like  to  share  with  other  IT /busi¬ 
ness  leaders?  Send  them  to  me;  I’ll  pass 
them  along  in  our  next  issue. 

Thanks  for  reading  Strategic  Direc¬ 
tions.  And  as  a  familiar  TV  cop  used  to 
say,  “Let’s  be  careful  out  there.”  SD 

Tom  Field 

Director  of  content  development 
CXO  Media  Custom  Publishing 
tfielci@cxo.com 


ABOUT  STRATEGIC  DIRECTIONS 

Strategic  Directions  focuses  on 
key  business-critical  technolo¬ 
gies  and  solutions  with  in-depth 
coverage,  analysis  and  market 
data  regarding  today’s  hot  top¬ 
ics.  There  will  be  four  editions  of 
Strategic  Directions  in  2003, 
with  future  issues  focusing  on 
outsourcing,  storage  and  CRM. 
For  more  information,  visit 
www.cio.com/custompub. 


STRATEGIC  DIRECTIONS  3 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  |  THE  SECURITY  STRATEGY  IMPERATIVE 


THE  SECURITY  STRATEGY 

IMPERATIVE 

ANTICIPATING  A  DISASTER  IS  EASIER 

THAN  RECOVERING  FROM  ONE 


xactly  the  event  you  think 
cannot  happen  will  happen 
if  you  do  not  plan  for  it,” 
says  Dave  Foss,  manager  of 
information  systems  and 
networking  at  MIT. 

Too  often,  though, 
information  security  meas¬ 
ures  develop  haphazardly,  in 
reaction  to  the  last  attack  or 
emergency.  And  too  often  the  tech¬ 
nologies  deployed  deliver  only  partial 
solutions.  The  result:  patchwork 
defense  full  of  vulnerabilities. 

These  days,  enterprises  need  more 
than  a  patchwork  defense.  Following 
are  some  bits  of  expert  advice  for 
developing  a  smart,  comprehensive 
security  strategy. 

SURVIVABILITY: 

KNOW  YOUR  VULNERABILITIES 

“What  was  once  a  cottage  industry  of 
hackers  has  now  evolved  into  a  sophis¬ 
ticated  group  of  well-organized,  well- 
connected  and  informed  users  who 
revel  in  their  ability  to  cause  disrup¬ 
tion,”  says  Foss. 

If  security  is  about  technology, 
then  survivability  —  what  folks  at 
Carnegie  Mellon  University’s  Software 


Engineering  Institute  call  “the  capabil¬ 
ity  of  a  system  to  fulfill  its  mission,  in  a 
timely  manner,  in  the  presence  of 
attacks,  failures  or  accidents”  —  is 
about  the  business. 

“The  real  costly  security  concerns 
are  those  which  affect  your  corporate 
bottom  line,”  says  Foss.  “This  includes 
the  perception  that  your  company  can¬ 
not  be  trusted.  If  you  can’t  keep  your 
own  data  secure,  why  should  anyone 
trust  you  with  personal  or  business 
data?” 


When  it  comes  to  developing  a 
security  strategy,  the  first  thing  an  IT 
executive  needs  to  know  is  what’s  at 
risk  in  the  business.  That  means  pre¬ 
cisely  figuring  out  the  vulnerabilities 
and  creating  what  Omni  Consulting 
Group  calls  an  inventory  of  impacted 


resources  and  outcome  probabilities. 

“If  you  look  at  security  in  terms  of 
risk  mitigation,  you  can  map  out  your 
resource  requirements  accordingly,” 
says  Wayne  Mincey,  president  of  the 
technology  services  division  at  Spheri- 
on,  a  Ft.  Lauderdale,  Fla. -based  HR 
and  IT  services  provider. 

“There  are  three  ways  to  deal  with 
risk,”  Mincey  says.  “You  can  live  with 
it,  you  can  avoid  it  or  you  can  transfer 
it  elsewhere.”  Which  path  you  take 
depends  on  the  probability  and  severi¬ 


ty  of  the  risk  in  the  context  of  what  is 
important  to  your  organization.  A 
careful  eye  should  then  be  turned 
toward  identifying  your  vulnerability 
levels  (ideally  in  a  regulated  fashion) 
and  focusing  your  action  plans  around 
Continued  on  page  6 


WHEN  IT  COMES  TO  DEVELOPING  A 
SECURITY  STRATEGY,  THE  FIRST 
THING  AN  IT  EXECUTIVE  NEEDS  TO  KNOW 
IS  WHAT’S  AT  RISK  IN  THE  BUSINESS. 
THAT  MEANS  PRECISELY  FIGURING  OUT 
THE  VULNERABILITIES _ 


4  STRATEGIC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK 


THE  SECURITY  STRATEGY  IMPERATIVE 


THE  ROI  OF  SECURITY: 

HOW  TO  GET  THE  MOHEY  YOU  NEED  -  AND  SHOW  RESULTS 


Security  isn’t  an  investment,  according  to  Christian 
Byrnes,  vice  president  for  security  and  risk  strategies  at 
Meta  Group.  “It’s  a  tax  on  IT-based  assets  required  to 
protect  the  value  of  the  assets,”  he  says. 

And,  arguably,  how  much  tax  you  pay  depends  on  how 
much  risk  you  face.  So  consider  this: 

■  The  number  of  vulnerabilities  has  been  doubling  since 
1998,  says  Carnegie  Mellon  University’s  CERT  Coordination 
Center. 

■  Nearly  20,000  digital  attacks  occurred  this  January, 
according  to  mi2g  Ltd.,  a  digital  risk  management  firm. 
Damages  exceeded  $8  billion.  At  that  rate,  2003  will  see 
more  than  180,000  attacks  doing  $80  billion  to  $100  billion 
worth  of  damage. 

■  During  a  nine-hour  period  on  July  19, 2001,  the  virus  Code 
Red  infected  250,000  computers,  according  to  CERT.  Code 
Red,  SirCam  and  LoveBug  together  infected  an  estimated 
40  million  computers;  repair  efforts  and  lost  productivity 
added  up  to  $12  billion. 

When  it  comes  to  how  much  an  organization  should  spend 
on  security,  Dave  Foss,  manager  of  information  systems 
and  networking  at  MIT,  asks,  “How  much  are  you  willing  to 
risk?” 

Consider  the  cost  of  having  no  security.  Do  you  have 
adequate  recovery  plans  to  put  your  entire  desktop  or 
server  environment  back  in  operation  if  you’re  attacked? 
How  long  can  you  stay  offline?  What’s  the  business  cost  of 
having  every  IT  professional  divert  his  or  her  attention  to 
recovering  your  IT  infrastructure  after  a  security-relat¬ 
ed  disaster? 

The  capital  outlay  that  your  security  program  needs 
depends  on  buy-in  at  the  top  of  your  organizational  food 
chain. 

And  to  get  that  buy-in,  you’ll  have  to  communicate 
your  security  needs  in  business  terms.  This  point  can’t  be 
overstated:  Information  security  efforts  must  support 
business  objectives  and  business  processes. 

Some  security  experts  use  the  10  domain  areas  of 


(ISC)2’s  Common  Body  of  Knowledge  to  elucidate  security 
issues  to  business  managers  and  end-users.  These  10 
domains  are  the  following: 

■  Security  Management  Practices 

■  Security  Architecture  and  Models 

■  Access  Control  Systems  and  Methodology 

■  Application  Development  Security 

■  Operations  Security 

■  Physical  Security 

■  Cryptography 

■  Telecommunications,  Network  and  Internet  Security 

■  Business  Continuity  Planning 

■  Law,  Investigations  and  Ethics 

Some  CIOs  and  CSOs  use  risk  assessments  and  opera¬ 
tional  metrics  —  like  number  of  intrusions  blocked  or 
viruses  foiled  —  to  justify  security  spending  and  educate 
top  management.  And  education  really  is  the  key  to 
obtaining  necessary  funds,  as  well  as  demonstrating  ROI. 

“Security  is  often  viewed  as  a  cost  center,  and  right¬ 
ly  so  —  it’s  a  cost  of  doing  business  today,”  says  Chad 
Robinson,  senior  research  analyst  at  the  Robert  Frances 
Group.  “However,  because  most  companies  seek  to  con¬ 
tinually  ‘increase  profits,  reduce  costs,’  this  often  means 
security  efforts  get  only  minimal  funding.” 

Having  this  mind-set  is  a  serious  mistake,  Robinson 
says:  “Setting  a  budget  for  security  and  then  determining 
what  that  budget  will  allow  almost  guarantees  that  a 
security  effort  will  fail  at  some  point.” 

In  the  end,  says  MIT’s  Foss,  “The  best  advice  is  to 
secure  your  internal  systems  as  much  as  possible  from 
intruders,  realizing  that  no  solution  is  perfect.”  Relay  this 
plan  to  management  and  plan  for  the  worst,  without 
becoming  obsessive.  Hire  experienced  people  and  listen  to 
what  they  tell  you,  but  take  it  upon  yourself  to  make  the 
final  decision  based  on  your  particular  needs.  “Now  relax 
and  have  a  nice  cup  of  latte  at  your  local  Starbucks,  and 
take  a  good  look  around  you,”  Foss  says.  “You  might  end 
up  working  there  if  you  made  the  wrong  decisions.” 


STRATEGIC  DIRECTIONS  5 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  REW  REALITY  CHECK  I  THE  SECDRITY  STRATEGY  IMPERATIVE 


FIVE  NOT-SO-EASY  STEPS  TO  MITIGATING  RISK 


Continued  from  page  4 
your  risk  levels. 

Begin  with  an  audit  —  an  honest 
(typically  external)  assessment  of  all 
vulnerabilities. 

“There  is  no  way  to  know  whether 
you  meet  the  standard  of  due  care 
without  some  form  of  external  assess¬ 
ment,”  says  Christian  Byrnes,  vice  pres¬ 
ident  for  security  and  risk  strategies  at 
Meta  Group.  “Just  make  sure  that  the 
program  is  being  assessed  against  some 
defined  reference.  Generic  reviews 
without  a  methodological  basis  are  use¬ 
less  and  misleading.” 

You  can  get  security  audit  help 
from  any  number  of  vendors,  including 
Continued  on  page  22 


m  DETERMINE  WHAT  OPERATIONS  AND  FUNC¬ 
TIONS  ARE  ESSENTIAL  FOR  THE  BUSINESS  TO 
SURVIVE.  Priorities  become  clear  as  you 
figure  out  the  Impact  of  losing  each 
operation  and  function. 

■  IDENTIFY  SYSTEMS  AND  PERSONNEL  THAT 
ARE  ESSENTIAL  TO  THE  CONTINUANCE  OF 
THOSE  KEY  BUSINESS  OPERATIONS  AND 
FUNCTIONS.  Then  pinpoint  all  directly 
and  Indirectly  related  components  and 
subsystems. 

■  ASCERTAIN  AND  EVALUATE  THREAT  SCENAR¬ 
IOS  FOR  THOSE  OPERATIONS  AND  THEIR  SYS¬ 
TEMS.  This  includes  developing  an  under¬ 
standing  of  what  or  whom  business  assets 
are  being  secured  against  and  Identifying 


system  and  process  vulnerabilities. 

■  USE  RISK  EVALUATIONS  TO  CREATE  STRONG 
POLICIES  AND  PROCESSES  —  AND  ENFORCE 
THEM.  Once  established,  review  security 
policies  often  and  expect  to  change 
them  in  response  to  evolving  threats 
and  technology  solutions. 

■  DEVELOP  POLICY-BASED  DEFENSE  IN  DEPTH. 
You’ll  need  layers  of  protection  that 
reduce  visibility  of  and  access  to  critical 
assets  —  Including  perimeter  defenses 
(firewalls,  IDSs,  antivirus  programs, 
etc.),  encryption  and  a  secure  network 
operations  center.  Threat  levels  are 
lower  when  attackers  can’t  technologi¬ 
cally  or  physically  touch  their  target. 


CASE  STUDY 


ike  many  organizations,  the  Kansas  Bureau  of  Investigation 
(KBI),  which  maintains  a  Criminal  Justice  Information 
System  accessed  by  law  enforcement  agencies,  courts  and 
other  organizations  throughout  the  state  of  Kansas,  wanted 
to  migrate  from  its  private  network  to  the  Internet  to  make 
access  to  its  information  more  affordable.  And  although 
KBI  had  to  comply  with  strict  security  and 
auditing  requirements  mandated  by  state  and 
federal  legislation,  KBI’s  IT  consultant,  Norma 
Jean  Schaefer,  believed  that  a  carefully-craft¬ 
ed  configuration  of  state-of-the-art  commer¬ 
cial  products  could  provide  the  high  levels  of 
security  required. 

UP  AND  RUNNING  IN  TWO  WEEKS 

According  to  Schaefer,  Nokia’s  strategy  for  network  security  fit  the 
bureau’s  needs  like  a  glove:  a  purpose-built  platform  implemented  in  a 
choice  of  specially  hardened  security  appliances  that  are  all  pre-configured 
with  the  industry’s  best  security  applications. 

Using  applications  from  three  of  Nokia’s  partners  —  Check  Point 
Software  Technologies,  FishNet  Security  and  Internet  Security  Systems 
(ISS)  —  KBI  was  able  to  get  the  basic  security  provisions  up  and  running  in 
just  two  weeks;  a  remarkable  feat  Schaefer  attributes  to  Nokia’s  approach 
to  security  which  stresses  purpose-built  appliances  pre-configured  with 
best-of-breed  applications. 


“The  IPSO  operating  system  on  the  Nokia  IP  Security  Platform  takes  the 
risk  out  of  installing,  configuring  and  operating  security  appliances,” 
reports  Schaefer.  “There  are  just  too  many  variables  with  a  general-pur¬ 
pose  operating  system  where  errors  in  the  intricate  configuration  can  leave 
the  network  vulnerable.  But  with  the  Nokia  appliances,  I  can  have  a  site  up 
in  about  an  hour  and  sleep  well  knowing  the  configuration  is  solid.” 


NOKIA 

Connecting  People 


$13,000  VS.  $25.00 

KBI  also  appreciates  the  scalable  perform¬ 
ance  available  across  the  family  of  Nokia  IP 
Series  appliances.  The  choice  of  different 
models,  some  available  in  fully  redundant  con¬ 
figurations,  gives  KBI  a  cost-effective  solution 
for  just  about  every  conceivable  need  —  from  the  data  center  to  the 
smallest  field  office. 

“We  have  a  lot  of  small  counties  that  could  not  afford  $13,000  a  year  for 
a  leased-line,”  observes  Ron  Rohrer,  IT  director  at  KBh  "Now,  even  the 
smallest  departments  can  connect  for  about  $25  a  month.” 

The  project  has  since  grown  to  connect  some  6,000  users  at  250  sepa¬ 
rate  agencies,  and  has  been  an  unqualified  success  with  an  estimated  cost 
avoidance  of  $2.5  million  and  a  300  percent  return  on  investment  during  the 
first  year. 

For  more  Information,  contact  Nokia  at  1-877-997-9189  or  visit 
http://www.nokia.com/securenetworksolutions. 


6  STRATEGIC  DIRECTIONS 


CIO  keeps  .... «, 

a—  m,  —  n*.  n-  *-*  sSsSS 


■  tn  take  his  son  to  a  fot 
Four  days  fa  ^eJman  Gerald  Anderson,  v 
ball  game,  local  busines  rve  promt: 

follows  through  on  agmem  feut  this’  tirne  1  actui 

to  take  my  son  places  • escribe  the  feeling, 
did  it  I  don’t  know  how  to  descno 
®  u  .  ,  i:i,p  t  feel  eood  inside, 
like,  well,  it  s  like  that  his  netv 

Thanks  to  Nokia,  Gerald  can  mu 

is  secure  so  that  he  and  tas  ^  *  y.wde  c 
teir  time  using  ^  ^  fam 

system  —  ana  enjoy  d:  „  time  i 

person  isn’t  die  only  onespendmg^s/,w 

get  out  of  the  Noki 
Security  Systems, 
employee  Dean  Wei: 
“is  freedom.  And  wil 
freedom  1  can  be 
focused,  creative,  an( 

of  all,  more  P^ct^“y  favonfr 

work  away  tom  my  office  a  ^ 

I’ll  admit  I  wasnt  “  be  honest,  tin 
‘quality  time  hooey,  _  •  about  netwoi 

the  family  beats' "  ^derson.  -witl 
nty  hands  downe  d  ^  w  spend  m, 
secunng  my  business,  bustaess  is 

with  my  family  even  Anders. 

faster  than  ever  before.  Wh  ^ 


Connecting 
the  right 
people 


Find  out  why  industry  leaders  and  the  world’s 
leading  financial  institutions  choose  Nokia  security  systems. 


The  more  complex  your  business  becomes,  the 
more  you  need  secure  and  reliable  connections  to 
your  corporate  network.  When  you  combine  the 
world’s  best  VPN/Firewall  software  from  Check 
Point  Software  Technologies  and  Intrusion 
Protection  from  Internet  Security  Systems™ 
(ISS)  with  Nokia  platforms  and  management 
applications,  you  save  time  and  resources, 


gaining  flexibility  and  reliability.  Only  Nokia  takes 
a  complete  system  approach  to  network  integrity 
with  full  integration  of  best-of-breed  applications 
on  purpose-built  platforms  that  are  easy  to  deploy, 
operate  and  manage,  backed  by  First  Call  -  Final 
Resolution  global  support. 

To  spend  more  time  at  home,  visit 
www.nokia.com/get_a_life/americas 


IMOKiA 

Connecting  People 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  I  NEW  RULES  &  REGS 


NEW  RULES  &  REGS 

HERE  ARE  SOME  SECURITY  REGUIATIOHS  ARD  CERTIFICATIONS  TO  NOTE 


ntensifying  security-  and  privacy- 
oriented  regulation  —  especially 
in  those  industries  considered 
part  of  critical  infrastructure  (e.g., 
energy,  utilities,  finance,  health¬ 
care,  transportation,  communica¬ 
tion)  —  is  reshaping  the  nature  of 
corporate  officers’  fiduciary 
responsibility  and  what  it  takes  to 
manage  secure  IT  environments. 


Among  the  regulations  with  secu¬ 
rity  implications  are  the  following: 

THE  U.S.  HEALTH  INSURANCE  PORTABILITY 
AND  ACCOUNTABILITY  ACT  (HIPAA),  which 
ensures  the  security  and  confidentiality 
of  health-related  data  and  standardizes 
electronic  data  interchange  for  health¬ 
care  organizations 

THE  GRAMM-LEACH-BLILEY  ACT  (GLBA) 

mandates  HIPAA-like  protections  for 


financial  data. 

THE  NATIONAL  SECURITY  TELECOMMUNI¬ 
CATIONS  AND  INFORMATION  SYSTEMS 
SECURITY  POLICY  (NUMBER  11)  took 
effect  in  July  2002;  it  requires  that  all 
software  purchased  by  the  government 
for  use  in  a  national  security  setting  be 
tested  to  ensure  it’s  secure. 

And  then  there’s  the  SARBANES- 
Continued  on  page  1 0 


COMPANY  PROFILE 


KEEPING  THE  MOBILE  WORKFORCE  MOBILE 


o  you  know  the  impact  to  your  company’s  bottom  line  when 
your  mobile  workforce  is  down?  A  workforce  unable  to 
communicate  with  clients,  without  access  to  vital  informa¬ 
tion,  can  cut  into  productivity,  lead  to  lost  revenue  oppor¬ 
tunities,  erode  market  share  and  damage  profitability.  How 
can  you  safeguard  your  bottom  line  against  the  problems 
associated  with  mobile  workforce  downtime? 

One  global  pharmaceutical  company  found  out  when  it  secured 
Spherion’s  comprehensive  solution  for  laptop  depot  services  to  support  its 
large,  mobile  U.S.  sales  force.  By  minimizing  exposure  to  downtime,  this 
company  enhanced  the  efficiency  of  its  organization  while  preventing  loss 
of  both  critical  data  and  potential  revenue. 

When  people  are  stopped  in  their  tracks  by  stalled  technology,  patience 
may  be  a  virtue  but  it’s  usually  in  short  supply.  That  is  why  this  firm  put  a 
high  premium  on  speed.  It  wanted  24-hour  turnaround  on  repairs  and  no 
more  than  a  60-second  hold  time  on  calls.  It  wanted  80%  of  its  calls 
resolved  immediately  and  it  had  very  little  tolerance  for  hang-ups. 


spherion 


Technology 
Services 


Spherion’s  com¬ 
prehensive  break/fix 
solution  provides  a 
dedicated  technical 

support  staff  for  warranty  and  non-warranty  laptop  repairs,  with  a  guar¬ 
anteed  turnaround  time  of  24  hours  for  warranted  items;  secure  data  imag¬ 
ing;  and  inventory  management. 

PERFORMANCE  RESULTS  RESCUE  REVENUE 

Addressing  key  productivity  measures  to  ensure  minimum  downtime  for 
mobile  employees,  Spherion  provided  service  that  surpassed  all  client 
expectations  including  a  40-second  call  response  time,  a  95%  first  call  res¬ 
olution  rate  and  a  3.4%  call  abandon  rate. 

Outstanding  technical  support  safeguards  the  security  of  client  data 
and  protects  employee  productivity.  Laptop  repairs  that  once  took  three 
days  are  now  accomplished  within  a  single  day.  With  more  than  4,700  rep¬ 
resentatives  nationwide,  that  means  a  rescue  of  nearly  $23  million  annually 
in  potential  lost  revenue. 


QUICKLY  AND  SEAMLESSLY 

Moving  quickly  and  seamlessly  to  a  new  support  environment,  Spherion 
commissioned  a  dedicated  team  to  oversee  the  transition  and  ensure  that 
there  was  no  service  disruption  to  the  client’s  sales  force.  It  worked  with 
the  client  to  detail  hiring  criteria,  data  security  documentation,  escalation 
and  notification  procedures,  disaster  recovery  and  staff  training. 


For  more  information,  contact  www.spheriontechnology.com. 

©  2003  Spherion  Pacific  Enterprises  LLC.  All  rights  reserved.  Spherion  and 
the  Spherion  logo  are  registered  service  marks  of  Spherion  Pacific 
Enterprises  LLC. 


8  STRATEGIC  DIRECTIONS 


MAXIMIZE  I.T  EFFECTIVENESS 


With  over  35  years  of  experience,  Spherion®  Technology  helps  desk  support  24-7,  enabling  them  to  avoid  a  potential  $15 
clients  maximize  the  value  of  their  IT  investments  through  million  in  lost  business  per  year.  Which  is  why  nearly  9o7o  of 
effective  planning  and  implementation  of  IT  solutions.  For  a  companies  who  use  us,  continue  to  use  us  to  make  their 
leading  pharmaceutical  provider,  this  meant  providing  help  workplace  work  better. 


Technology 

Services 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  I  NEW  RULES  &  REGS 


OXLEY  ACT,  which  went  into  effect  in 
mid-2002,  enacting  a  slew  of  new  cor¬ 
porate  recordkeeping  and  auditing  rules 
that  are  bound  to  shake  up  how  IT  pro¬ 


fessionals  store  and  protect  data.  The 
added  costs  of  implementing  the  act’s 
new  information  disclosure  require¬ 
ments  will  help  justify  deploying  and 


s  the  global  network  econ¬ 
omy  grows  in  size  and  com¬ 
plexity,  information  securi¬ 
ty  and  privacy  protection 
require  serious  reassess¬ 
ment  and  modification. 
Organizations  are  allowing  more  entry  privi¬ 
leges  to  their  infrastructures  to  a  much  wider 
population  of  partners  and  processes  than 
ever  before,”  notes  Harry  DeMaio,  Certified 
Information  Systems  Security  Professional 
(CISSP)  and  (ISC)2  board  of  directors  member. 
“In  a  sense,  organizations 
have  lowered  the  draw¬ 
bridge  to  their  fortress¬ 
es.” 

So,  how  does  an 
organization  defend  itself 
in  this  new  interdepend¬ 
ent  and  collaborative  environment? 

“Trust,”  DeMaio  says.  “A  mutual  trust 
among  a  range  of  partners  and  allies  directly 
and  interactively  sharing  infrastructure,  appli¬ 
cations,  data  and  other  resources.” 

TRUST:  THE  ULTIMATE 
FIREWALL 

Trust  in  the  Internet  community,  says  DeMaio, 
requires  answers  to  these  questions: 

■  Can  I  trust  the  organizations  and  infrastruc¬ 
tures  on  which  I  depend? 

■  Can  they  trust  me? 

■  Together,  can  we  trust  our  common  infra¬ 
structure  and  processes? 

‘Trust  is  built  on  reciprocal  protection, 
clear  responsibilities  and  accepted  stan¬ 
dards,”  he  explains .  “More  than  tools  and  tech¬ 
nology,  the  trustworthiness  of  the  technolo¬ 


gists,  designers,  managers  and  administrators 
themselves  will  continue  to  spell  the  difference 
in  the  stability,  growth  and  effectiveness  of 
complex,  networked  information  systems. 
Trust  is  the  ultimate  firewall,”  he  says. 

CERTIFIED  CYBER-SECURITY 
WORK  FORCE 

“A  certified  cyber-security  work  force  has 
long  demonstrated  professional  excellence, 
mutual  trust  and  jealously-guarded  ethical 
reputations,”  says  DeMaio.  “The  need  for  such 
standards  has  never 
been  greater.  New 
cyber-threats,  exponen¬ 
tially  growing  networks, 
increased  process  com¬ 
plexity  and  quantum 
leaps  in  the  information 
user  population,  make  peak  professionalism  in 
every  sense  of  that  word  a  necessity  for  the 
information  security  community. 

“Professionalism  is  crucial  regardless  of 
the  type  or  level  of  security  practice,”  he 
adds.  ‘To  provide  the  strongest  index  of  trust¬ 
worthiness  for  the  growing  diversity  of  pro¬ 
fessionals  in  the  information  trust  community, 
credentialing  bodies,  such  as  the  International 
Information  Systems  Security  Certification 
Consortium  (ISC)2,  must  continue  to  enhance 
professional  certifications. 

“That  way,  as  the  information  security 
industry  evolves,  the  workforce  can  continue 
to  evolve  and  bring  trust  to  the  global  Internet 
community.” 

For  more  information,  contact  (ISC)2  at 
(508)  875-8400  or  visit  www.isc2.org. 


ensuring  the  survivability  of  an  enter¬ 
prisewide  set  of  (secure)  business  appli¬ 
cations  built  around  a  (secure)  database. 

These  compliance  requirements 
are,  in  turn,  triggering  new  need  for 
the  Generally  Accepted  System  Securi¬ 
ty  Principles  (GASSP),  expected  to  be 
renamed  the  Generally  Accepted  Infor¬ 
mation  Security  Principles  (GAISP), 
which  establish  common  compliance 
elements  that  can  be  mapped  to  securi¬ 
ty  regulations  and  standards. 

Meanwhile,  ISO 17799  is  evolving 
into  a  de  facto  standard  for  high-level 
definition  of  an  information  security 
architecture. 

Those  who’ve  met  their  regulato¬ 
ry  obligations  will  need  to  show  that 
via  certification  and/or  accreditation. 

“TRUST  IS _ 

THE  ULTIMATE _ 

FIREWALL.” 

Now  the  U.S.  Department  of 
Defense  requires  that  security  products 
(and  security-enabled  products)  be 
Common  Criteria-certified,  and  the 
U.S.  federal  government  may  adopt 
this  certification  standard. 

The  International  Information  Sys¬ 
tems  Security  Certifications  Consor¬ 
tium’s  Certified  Information  Systems 
Security  Professional  (CISSP)  and  Sys¬ 
tem  Security  Certified  Practitioner 
(SSCP)  certifications  become  increasing¬ 
ly  important  as  a  means  of  ensuring  base¬ 
line  capabilities  of  security  professionals. 

“More  than  tools  and  technology, 
the  trustworthiness  of  technologists, 
designers,  managers  and  administrators 
themselves  will  continue  to  spell  the 
difference  in  the  stability,  growth  and 
effectiveness  of  complex,  networked 
information  systems,”  observes  Harry 
DeMaio,  CISSP,  and  (ISC)2  board  of 
directors  member.  “Trust  is  the  ulti¬ 
mate  firewall.”  SD 


10  STRATEGIC  DIRECTIONS 


IS  THE  ULTIMATE 


FIREWALL 

(ISC)2-  SECURITY  THAT  TRANSCENDS  TECHNOLOGY5" 


Even  organizations  with  identical  security  technology  can  have  information  systems  whose  trustworthiness  isn’t 
comparable.  Skilled,  motivated  and  reliable  security  architects,  designers,  implementers,  administrators  and 
managers  make  the  difference.  Experts  whose  abilities  are  coveted,  because  as  holders  of  CISSP®  and  SSCP® 
credentials,  they’re  the  trusted  constituents  of  the  non-profit  consortium  of  industry  leaders  known  as  (ISC)2'”. 

(ISC)2  is  a  non-profit  consortium  of  industry  leaders  whose  charter  is  to  compile  and  maintain  the  most 
comprehensive  Common  Body  of  Knowledge  (CBK)™.  And  from  this  CBK,  develop  the  industry  standards  for 
training  and  credentialing.  Those  professionals  who  earn  CISSPs  and  SSCPs,  share  the  credibility  of  the 
internationally  recognized  Gold  StandardSM  in  information  security. 


For  more  information  on  training  or  certification,  please  call 

1.888.333.4458 

or  visit  www.isc2.org 


(ISC) 


CISSP! 


SSCP 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  I  REAL  SOLUTIONS 


REAL  SOLUTIONS 

BEST  PRACTICES  FOR  PROTECTING 
THE  ENTERPRISE  INSIDE  AND  OUT 


oundaries  between  “us” 
and  “them,”  between 
“inside”  and  “outside” 
are  quickly  disintegrating 
as  employees,  customers, 
partners  and  even  data¬ 
bases  interact  across  time, 
space  and  corporate  con¬ 
fines. 

The  same  technolo¬ 
gies  that  enable  business  also  make 
protecting  assets  and  ensuring  conti¬ 
nuity  of  operations  a  relentless  chal¬ 
lenge. 

To  protect  the  ever- blurry  enter¬ 
prise  perimeter,  the  National  Strategy 
to  Secure  Cyberspace,  released  by  the 
U.S.  government  in  February,  calls  for 
improvement  in,  among  other  things, 
key  Internet  protocols  and  software 
and  hardware  components. 

Some  tips  for  protecting  the  enter¬ 
prise: 

SOLUTION:  BUILD  SECURITY  INTO 
SOFTWARE  DESIGN 

Many  business  leaders  think  boosting 
software  security  should  top  any  security 
list,  and  experts  point  out  that  software 
defects  or  inadequate  configurations 
have  contributed  to  every  major  attack 
on  the  Internet  since  1986.  Too  often 
the  security  patches  that  are  supposed  to 
eliminate  vulnerability  instead  wreak 
havoc  on  other  applications,  forcing  IT 
staffers  to  choose  between  two  evils. 

12  STRATEGIC  DIRECTIONS 


In  an  analysis  of  45  e-business 
applications,  security  consulting  firm 
©stake  found  that  almost  half  the  secu¬ 
rity  defects  it  discovered  were  prevent¬ 
able;  the  best-designed  apps  have  just 
one-quarter  as  many  flaws  as  the  worst- 
designed.  The  most  secure  apps,  @stake 
concluded,  carry  80  percent  less  busi¬ 
ness-adjusted  risk  than  the  least  secure. 

The  only  long-term  solution  to  this 


LESSONS  FROM  9/11 

These  security  lessons  were 
learned  the  hard  way,  after  the 
devastating  terrorist  attacks  of 
Sept.  11,  2001: 

■  MOVE  SERVERS  INTO  HARDENED 
DATA  CENTERS.  Lower  real  estate, 
labor  and  energy  expenses  offset 
technical  and  regulatory  hassles 
as  well  as  costs  of  building  and 
running  secure  structures  (esti¬ 
mated  at  five  to  10  times  regular 
old  office  space  in  primary  cities). 

■  BRING  RECOVERY  SITE  PROVISIONING 
IN-HOUSE.  Service  provider  price 
increases  and  demand  for  higher 
service  levels  are  making  this 
more  cost-efficient. 

■  KEEP  LESS  DISTANCE  BETWEEN 
OPERATIONAL  AND  RECOVERY  SITES. 
Too  much  site  separation  hikes 
costs,  hinders  recover  times. 


problem,  for  both  CIOs  and  software 
vendors,  is  to  integrate  comprehensive 
security  planning  and  testing  into  their 
application  development  processes,  says 
Jeff  Artis,  senior  vice  president  of 
national  solutions  at  Spherion,  which 
provides  managed  services  and  profes¬ 
sional  services.  “They  should  develop  a 
security  lifecycle  that  matches  their 
development  lifecycle,”  Artis  says. 
“Application  security  is  much  like  qual¬ 
ity  assurance  and  testing:  Good  results 
come  from  careful  planning  and  rigid 
adherence  to  a  well-defined  process.” 

@stake  points  to  the  following  best 
practices  in  design,  coding  and  deploy¬ 
ment  that  differentiate  the  most  secure 
applications: 

■  Early  design  focus  on  user  authenti¬ 
cation  and  authorization; 

■  Mistrust  of  user  input; 

■  End-to-end  session  encryption; 

■  Safe  data  handling; 

■  Elimination  of  administrator  back¬ 
doors,  misconfigurations  and  default 
settings; 

■  Security  quality  assurance. 

SOLUTION:  PUT  YOUR  DATA  IN  A 
VAULT 

“There Ve  been  millions  and  millions  of 
dollars  spent  largely  on  deploying  point 
products  and  solutions  at  the  perimeter 
of  the  enterprise,”  notes  Ed  Gregory, 
president  of  Cyber-Ark,  a  Dedham, 
Mass. -based  information  security  ven- 


CIO  ADVERTISING  SUPPLEMENT 


SECDRITT:  NEW  REALITY  CHECK 


REAL  SOLUTIONS 


NEW  SOLUTION 

THE  INSPIRATION  BEHIND  PATENTED  VAULTING  TECHNOLOGY: 

EXPERIENCE  (AND  AN  EMBARRASSING  MOMENT) 


During  Alon  Cohen’s  tenure  as  the  head  of  the  System  and 
Security  Department  for  the  Israeli  military,  a  personal  elec¬ 
tronic  letter  to  his  girlfriend  found  its  way  into  the  wrong  hands. 

Embarrassing,  yes;  but,  more  importantly,  he  knew  that 
despite  a  massive  investment  in  traditional  security  wares,  holes 
existed  and  exposure  of  sensitive,  confidential  electronic  informa¬ 
tion  occurred.  In  his  role  as  a  civilian  security  expert  he  would  dis¬ 
cover  it  was  a  widespread  problem. 

Incidents  like  these  forced  Cohen  to  turn  the  traditional 
perimeter  security  model  upside  down  and  inside  out,  applying  the 
same  vaulting  concepts  that  banks  used  to  protect  physical  money 
to  information  security.  In  1999,  he  co-founded  Cyber-Ark  and  built 
the  industry’s  first  vaulting  solutions,  offering  two  highly  integrat¬ 
ed  information  security  solutions  for  enterprise  networks.  Today, 
the  Network  Vault  and  the  Inter-Business  Vault  are  deployed  in 
over  50  Global  1000  companies. 

ONE  WAY  IN-ONE  WAY  OUT 

Instead  of  only  trying  to  protect  the  enterprises’  perimeter, 
Cyber-Ark’s  patented  Vaulting  Technology  creates  a  safe  haven  for 
protecting  and  sharing  sensitive  information  such  as  account 
statements  and  transaction  files  with  customers  and  business 
partners.  While  complimenting  existing  perimeter  security  invest¬ 
ments,  the  Vault  is,  in  fact,  highly  secure  regardless  of  the  quality 
of  the  perimeter  investment.  This  approach  means  important 


information  and  data  in  the  Vault  remains  protected  from  security 
threats  and  misuse  occurring  outside  the  Vault. 

By  splitting  the  server  interfaces  from  the  storage  engine, 
Cyber-Ark  has  removed  the  traditional  tradeoff  between  security 
and  accessibility,  creating  a  single  data  access  channel  —only  one 
way  in  and  one  way  out  —  protected  with  many  layers  of  tightly 
integrated  security  and  performance  technologies  for  maximum 
protection  of  data  stored  inside  the  vault. 

SOLUTION  DEPLOYED  IN  MINUTES 

Sound  complex?  Not  for  users,  who  get  a  dramatically  simplified 
approach  to  information  security  that  works  with  all  the  familiar 
applications  (Word,  PowerPoint,  E-mail,  Online  Banking,  etc.)  and 
doesn’t  require  any  new  training. 

Administrators  with  little  or  no  security  experience  can 
deploy  the  solution  in  just  minutes,  and  easily  audit  and  manage  it 
without  an  army  of  security  professionals.  With  Cyber-Ark,  acces¬ 
sibility  finally  doesn’t  need  to  trump  security. 

For  more  information  on  Vaulting  Technology,  contact 
Cyber-Ark  at  www.cyber-ark.com. 

Cyber-^rk 


dor.  “While  these  are  good  products  in 
their  own  right,  they’re  very  general- 
purpose  in  nature  —  and  despite  huge 
investments,  statistics  show  that  80  per¬ 
cent  of  all  companies  surveyed  have 
experienced  financial  loss  due  to  secu¬ 
rity  breaches.  Something  fundamental 
is  not  working  the  way  it  needs  to.” 

Rather  than  try  to  protect  the 
entire  perimeter  of  a  network,  which 
experts  and  data  suggest  is  impossible, 
Gregory’s  firm  seeks  to  secure  one 
place  in  the  network  regardless  of  its 
overall  security:  an  electronic  vault. 

Kris  Zupan,  CEO/CTO  of  e-DMZ 
Security,  a  provider  of  co-managed  secu¬ 


rity  services  and  reseller  of  Cyber-Ark’s 
vaulting  technology  says,  “Vaulting  tech¬ 
nology  provides  an  effective  alternative 
for  organizations  that  have  the  require¬ 
ment  to  securely  share  data. 

“Even  in  organizations  lucky 
enough  to  have  encrypted  email  across 
the  enterprise,  you’re  still  stuck  with 
the  problem  of  versioning,  retention, 
and  delegation  of  access,”  Zupan  says. 
“Vaulting  technology  can  allow  the 
data  owners  to  proactively  protect  and 
share  their  data  with  a  minimum  of 
overhead.” 

Zupan,  who  spent  more  than  a 
decade  viewing  security  from  the  user 


side  of  the  equation  at  a  Fortune  500 
financial  services  firm  and  later  at  a 
Fortune  500  chemical  manufacturer, 
says  vaulting  is  an  enabling  technology 
specifically  designed  for  “people  who 
do  security.” 

Vault  solutions,  such  as  those  from 
Cyber- Ark,  DigitalNet  and  others,  can 
safeguard  critical  data  and  applications. 
Cyber-Ark’s  offerings,  for  example, 
support  a  wide  array  of  secure  ID, 
tokens,  smartcards  and  digital  certifi¬ 
cates,  and  enable  organizations  to  cre¬ 
ate  a  secure  location  in  the  network 
where  vital  information  can  be  protect¬ 
ed  and  shared  within  an  enterprise  as 


STRATEGIC  DIRECTIONS  13 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK 


REAL  SOLUTIONS 


well  as  among  partners,  customers  and 
suppliers. 

SOLUTION:  LAYERS  OF  INTRUSION 
DETECTION  AND  PREVENTION 

Stopping  attacks  and  preventing  intru¬ 
sions  require  several  layers  of  defense. 

Firewalls  make  it  harder  for  attack¬ 
ers  to  gather  intelligence  on  services, 
specific  implementations  and  possible 
vulnerabilities.  Intrusion  detection  sys¬ 
tems  (IDSs)  send  up  alarms  when  attacks 
get  past  firewalls.  Most  experts  agree 
that  these  solutions  should  be  used 
together  along  with  such  other  tools  as 
antivirus  scanners  and  encryption. 

“Most  of  the  damage  done  by 
viruses,  Trojans  and  worms  in  die  last 
two  years  was  entirely  a  side-effect  of 


overloading  the  networks,”  says  Christ¬ 
ian  Byrnes,  vice  president  and  service 
director  for  security  and  risk  strategies  at 
Meta  Group.  “None  of  the  broadly  dis¬ 
tributed  malicious  code  has  carried  a 
destructive  payload  —  that  is  an 
extremely  important  issue.  One  broadly 
spread  virus  with  the  replication  ability 
of  Code  Red,  NIMDA  or  SQLK  Slam¬ 
mer,  but  with  an  intentionally  destruc¬ 
tive  payload,  would  do  very  significant 
economic  damage  to  the  United  States, 
as  well  as  the  rest  of  the  world.  More 
companies  could  be  destroyed  this  way 
than  by  any  previous  disaster.” 

Although  they’re  important  lines 
of  defense,  antivirus  scanners,  firewalls 
and  IDSs  are  reactive  solutions.  Signa- 
Continued  on  page  16 


FIREWALL  STRATEGIES 

■  PLAN  FOR  MORE  THAN  ONE.  A  firewall 
should  be  dedicated  to  filtering  one  type 
of  traffic,  and  applications  should  be 
sorted  into  groups  according  to  their 
security  requirements. 

■  CONSIDER  INSTALLING  FIREWALLS  ON 
INTERNAL  SYSTEMS  as  well  as  public 
servers,  to  defend  against  internal 
misuse. 

■  DON’T  OVER-DEPLOY.  Instead,  use  fire¬ 
walls  in  conjunction  with  other  tech¬ 
nologies,  such  as  antivirus  software  and 
intrusion  detection  systems. 

■  DISABLE  UNUSED  SERVICES. 

■  MONITOR  YOUR  FIREWALLS  REGULARLY, 
looking  at  both  inbound  and  outbound 
connections. 


C0NP1NY  PROFILE 

EsSr 


~j  omputer  Associates  (CA)  understands  that  today’s  organi¬ 
zations  need  to  be  in  compiete  command  of  their  enter¬ 
prise  security.  CA’s  ©Trust™  security  solutions  holistically 
address  ail  aspects  of  business  security,  enabling  an  enter¬ 
prise  to  quickly  and  effectively  embrace  new  opportunities, 
_  improve  operational  efficiencies,  reduce  costs,  and  proac¬ 
tively  manage  virtually  all  security  threats  and  risks  to  the  organization. 
CA’s  eTrust  solutions  are  grouped  into  three  areas: 
eTrust™  Identity  Management;  eTrust™  Access 
Management;  and  eTrust™  Threat  Management; 
each  of  these  can  be  consistently  and  visually  man¬ 
aged  through  eTrust™  Security  Command  Center. 
eTrust  Identity  Management  solutions  central¬ 
ize  and  automate  the  creation  of  user  accounts  and 
approval  workflows,  provisioning  both  IT  and  non-iT 
resources  while  reducing  costs  through  process  automation.  It  also 
increases  user  productivity  through  integrated  single  sign-on  and  self- 
service,  including  password  resets.  Supported  by  strong  authentication 
and  a  scalable  identity  repository,  CA’s  eTrust  Identity  Management  solu¬ 
tions  manage  every  aspect  of  the  business  identity, 
eTrust  Access  Management  solutions  secure  critical  business  assets 
by  centralizing  and  strengthening  security,  regardless  of  operating  system, 
platform  or  business  application  and  whether  or  not  resources  are  web- 
based.  This  technology  also  offers  the  strongest  possible  protection 


through  active  dynamic  security  —  preventing  both  Internal  breaches  and 
external  security  attacks  while  monitoring  violations  across  ai  access 
devices.  Through  the  consistent  application  of  access  policies,  organiza¬ 
tions  can  deliver  productivity-enhancing  personalization  while  reducing 
management  costs. 

eTrust  Threat  Management  solutions  detect,  analyze,  warn,  prevent 
and  cure  attacks,  across  the  environment.  Through  active  and  adaptable 
risk  mitigation,  threats  are  immediately  isolated 
through  multiple  detection  techniques,  its  spread  is 
contained  and  lastly  extinguished.  CA’s  eTrust 
Threat  Management  solutions  empower  organiza¬ 
tions  to  adapt  their  security  defenses  to  new  situa¬ 
tions  without  increasing  operational  overhead  or 
costs. 

©Trust  Security  Command  Center  reduces, 
aggregates,  correlates  and  prioritizes  disparate  security  data  across  the 
enterprise  by  converting  it  into  intelligent,  actionable  information  that  can 
be  managed  from  a  single,  centralized  location.  eTrust  Security  Command 
Center's  “See  it  A!!,  Manage  it  All”  solution  allows  you  to  gain  full  security 
command-and-control. 

With  a  holistic  approach  to  managing  security  across  the  entire  envi¬ 
ronment,  CA’s  eTrust  security  solutions  provide  the  power  to  secure. 


For  mor®  information,  contact  (831)  342-8000  or  visit  www.ca.com. 


Computer  Associates® 


14  STRATEGIC  DIRECTIONS 


Can  your  antivirus  software  provide  double  the  scanning  power?  Our: 


Making  sure  your  company  is  secure  gets  more  and  more  difficult  every  day.  That's  why  eTrust™  Antivirus  v7 
from  Computer  Associates  uses  dual  scanning  engines  to  ensure  comprehensive  virus  protection.  It  processes 
data  in  real  time  to  search  out  and  eliminate  viruses,  and  it  also  scans  files  during  prescheduled  and 
off-peak  hours.  All  at  the  cost  of  most  single-engine  AV  products.  It's  more  than  just  twice  the  protection. 
It's  twice  the  peace  of  mind.  ca.com/etrust/antivirus 


eTrust™  Antivirus 


Computer  Associates® 


©  2003  Computer  Associates  International,  Inc.  (CA).  All  rights  reserved.  eTrust "  Antivirus  was  formerly  known  as  eTrust'  Inoculate/T* 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  I  REAL  SOLUTIONS 


ture-based  IDSs,  for  example,  will  spot 
only  the  attacks  they’ve  been  pro¬ 
grammed  to  recognize,  leaving  a  “win¬ 
dow  of  opportunity”  between  time-of- 
attack  and  release  of  patches.  Some 
thoughts  on  these  solutions: 

Application  firewalls.  Designed  to 
protect  specific  services  from  attack,  an 
application  firewall  uses  definitions  of 
acceptable  input  to  recognize  and  halt 
abnormal  protocol  sessions  before  they 
reach  the  application  itself.  Thus  appli¬ 
cation  firewalls  can  eliminate  entire 
classes  of  vulnerabilities,  such  as  format 
string  attacks  or  buffer  overflow  attacks. 


When  should  an  organization  consider  seeking 
outside  help  to  ensure  its  information  securi¬ 
ty?  Here  are  the  most  common  recommenda¬ 
tions: 

audits:  To  reduce  the  dangers  of  security  flaws 
in  software,  says  Chad  Robinson,  senior 
research  analyst  at  the  Robert  Frances  Group, 
“IT  executives  should  arrange  for  regular 
audits  of  internally  developed  code  by  both 
automated  vulnerability  assessment  tools  and 
trained  security  professionals.” 

Outside  experts  can  keep  your  security 
solutions  up  to  date,  too.  John  Stehman,  prin¬ 
cipal  analyst  at  the  Robert  Frances  Group, 
advises  getting  experts  to  annually  “check¬ 
point  the  existing  solution  against  best  of 
breed  and  make  sure  it  is  still  effective  against 
prevalent  types  of  attacks.” 

VULNERABILITY  ASSESSMENTS:  Most  CIOs  and  CSOs 
recognize  that  periodic  security  reviews  have 
become  an  operational  necessity,  says  Jeff 
Artis,  senior  vice  president  of  national  solu¬ 
tions  at  Spherion’s  technology  services  divi¬ 
sion.  “Even  though  the  internal  IT  department 
may  do  an  outstanding  job,  an  independent 
review  from  an  outside  expert  provides  sever¬ 
al  important  benefits,”  Artis  says.  In  addition 


Beyond  detection:  preventing 
intrusions.  By  inspecting  system  calls 
against  behavioral  rules,  intrusion  pre¬ 
vention  solutions  such  as  those  from 
Watchguard,  Cylant  and  SecureWave 
can  catch  all  manner  of  bad  stuff, 
including  illegitimate  system  calls,  reg¬ 
istry  changes,  and  such  malware  as 
Trojan  horses,  backdoors,  rootkits, 
worms.  System  administrators  can  con¬ 
trol  with  some  delicacy  the  rules  by 
which  intrusion  prevention  solutions 
judge  application  behavior,  imposing 
limitations  by  application,  class  of  user, 
platform  and  so  on. 


to  finding  exposures  that  your  team  might  not 
be  aware  of,  an  objective  examination  can  pro¬ 
vide  new  perspectives  on  vulnerability  and 
risk,  make  recommendations  for  continuous 
improvement  or  simply  verify  an  expected  level 
of  protection. 

cost  reduction:  Managed  security  services  can 
save  midsize  companies  as  much  as  80  percent 
of  in-house  security  costs. 

As  for  criteria  for  selecting  a  managed 
security  services  provider,  consider  these  tips: 

■  Make  sure  the  provider  is  well-funded.  That 
means  at  least  several  million  dollars  of  capital 
available.  And  check  the  provider’s  plans  for 
tough  times. 

■  Take  a  close  look  at  the  provider’s  security 
operations  centers.  When  doing  your  own  due 
diligence,  insist  on  bringing  along  a  specialist 
who  can  assess  the  provider’s  technology  and 
processes. 

■  Check  out  the  provider’s  policies  and  proce¬ 
dures. 

■  Ensure  that  provider  can  handle  your  busi¬ 
ness.  Even  if  data  volumes  double  or  triple. 

■  Find  out  how  the  provider’s  current  clients 
regard  support  services.  Were  issues  resolved 
promptly,  satisfactorily? 


Gateway  IDS:  firewalls  and  IDS 
converge.  Integrating  multiple  meth¬ 
ods  of  intrusion  detection  (signatures, 
protocol  and  traffic  anomalies)  with 
firewall  features,  gateway  IDSs  —  like 
those  from  Internet  Security  Systems 
(ISS),  Top  Layer  Networks  and 
NetScreen  —  operate  in  the  data  path 
so  they  can  respond  to  attacks  by 
actively  dropping  packets.  ISS’s 
RealSecure  Guard  analyzes  traffic  in 
real  time  and  blocks  attacks,  creating  a 
virtual  TCP/IP  stack  to  reassemble 
packets  and  decide  if  the  traffic  should 
be  permitted  or  blocked.  Top  Layer 
Networks’  ASIC-based  Attack  Mitiga- 
tor  has  been  preconfigured  to  identify 
HTTP  URI  exploits,  denial  of  service 
attacks,  Trojan  horses  and  other  hybrid 
threats  using  advanced  “normalized” 
deep  packet  and  multipacket  HTTP 
URI  matching  and  wildcard  checking. 

Trusted  operation  systems.  For 
mission-critical  servers  that  don’t 
change  a  lot,  you  can  use  trusted  OSs, 
industrial- strength  tools  that  protect 
the  entire  operating  environment. 
Trusted  OSs  compartmentalize 
resources  (processes,  ports,  network 
interfaces,  files),  enforce  mandatory 
access  control  and  employ  least-privi¬ 
lege  user  restrictions.  Trusted  OSs  cost 
more  and  take  longer  to  configure  cor¬ 
rectly,  but  offer  strong  security  for  host 
systems.  To  standard  trusted  OS  func¬ 
tions  Computer  Associates’  FTrust 
Access  Control  adds  central  manage¬ 
ment  and  policy  sharing  across  systems, 
centralized  auditing  for  all  systems  and 
synchronization  with  mainframe 
authentication.  Nokia’s  IPSO  is  an 
appliance-optimized,  clusterable  OS 
that’s  used  as  the  secure  OS  for  fire¬ 
walls,  VPNs  and  intrusion  protection 
systems.  It  also  supports  operator- to- 
operator  roaming  border  gateway 
applications  and  is  put  to  work  within 
mobile  GSM,  GPRS  and  3G  networks 
to  route  and  control  mobile  data. 


THE  INS  &  OUTS 

OF  OUTSOURCING  SECURITY 


16  STRATEGIC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  I  REAL  SOLUTIONS 


NEW  SOLUTION 

A  GO-MANAGED  SOLUTION  FOR  SECURITY  AND  CONTROL 


((■  n  today’s  dynamic  environment,  security  needs  to  be  man- 
I  aged  constantly  and  consistently,”  notes  Kris  Zupan, 
CEO/CTO  of  e-DMZ  security.  “Changing  threats  require  more  spe¬ 
cialized  expertise  than  ever  before,  but,  unfortunately  many 
organizations  lack  an  adequate  supply  of  qualified  security  pro¬ 
fessionals.” 

Moreover,  turning  to  traditional  managed  security  solutions 
may  no  longer  be  an  optimum  choice,  says  Zupan,  because  “they 
take  away  too  much  control,  while  legislation  like  HIPAA  demands 
companies  to  be  in  control  like  never  before.” 

The  solution,  he  explains,  can  be  found  in  Co-Managed 
Security  Services  (CSS),  which  adds  a  well-established  security 
team  to  an  organization’s  existing  arsenal  of  defensive  capabili¬ 
ties.  Unlike  traditional  Managed  Security  service  clients,  CSS 
users  retain  administrative  privilege  on  all  devices,  have  real¬ 
time  access  to  all  changes  made  on  their  behalf  and  dictate 
change  control. 

FEWER  PEOPLE,  LESS  TIME,  FRACTION  OF  THE  COST 

“No  security  expert  knows  your  company’s  challenges  and  envi¬ 
ronment  better  than  the  people  who  are  currently  supporting  it,” 
says  Zupan.  “With  co-managed  security  services,  you  can  add 
experience,  expertise,  and  energy  without  changing  policy  or  stan¬ 
dards.  It  delivers  a  mature  operational  model  with  years  of 
automation  and  enterprise  experience,  while  enabling  an  organiza¬ 


tion  to  manage  its  security  infrastructure  the  way  it  wants ...  with 
fewer  people,  in  less  time,  and  at  a  fraction  of  the  cost,”  he  adds. 

It  also  delivers  the  freedom  to  be  productive,  according  to  an 
IT  executive  at  a  Fortune  500  Pharmaceutical  company  currently 
using  e-DMZ’s  CSS  offering,  who  says  it  has  given  “our  engineers  the 
freedom  to  move  forward  with  planning  and  architecture  concerns 
for  our  perimeter  security  systems  without  having  the  worry  of 
ensuring  that  day-to-day  responsibilities  are  completed.” 

e-DMZ  Security’s  experience  supporting  highly  regulated 
industries  is  reflected  in  its  own  CSS  methodology  and  services. 
All  of  e-DMZ’s  processes  include  dual  control  mechanisms  and 
optimize  availability  as  well  as  strong,  auditable  processes  and 
the  commitment  to  never  pass  an  unencrypted  packet.  e-DMZ’s 
list  of  services  includes  co-managed  firewall  service,  co-man- 
aged  intrusion  detection  services,  co-managed  Unix  security,  and 
ESMS+,  a  unique  highly  automated  security  solution  ideal  for 
small  to  mid-size  organizations. 

For  more  on  co-managed  security,  visit  www.e-dmzsecurity.com. 

e»Mzi 


SECURITY 


Your  Information  Security  Ally™ 


Web  server  shields.  For  environ¬ 
ments  where  trusted  OSs  are  too  intru¬ 
sive,  Web  server  shields  such  as  those 
from  Entercept  Security  Technologies, 
Watchguard  Technologies  and  eEye 
Digital  Security  offer  more  flexibility 
by  enabling  control  over  Web  servers 
to  be  customized.  eEye  Digital  Securi¬ 
ty’s  SecurellS  protects  against  such 
Web  server  attacks  as  buffer  overflows, 
directory  traversals  and  parser  evasions. 

SOLUTION:  BRING  IT  ALL  TOGETHER 

A  number  of  vendors  have  begun  com¬ 
bining  key  information  security  solu¬ 
tions  into  single  appliances  of  many 
varieties,  making  it  easier  for  organiza¬ 


tions  large  and  small  to  field  central¬ 
ized  but  flexible  platforms  that  can 
handle  multiple  security  requirements. 

For  instance,  Ingrian  Networks’ 
offers  an  integrated  security  platform 
that  encompasses  authentication, 
encryption,  cryptographic  key  man¬ 
agement,  real-time  application  protec¬ 
tion,  secure  storage  and  audit  func¬ 
tions. 

Nokia’s  enterprise-oriented  IPS 30 
—  which  is  integrated  with  Check 
Point’s  VPN- 1  /Fire Wall- 1  software  — 
delivers  VPN,  firewall  and  intrusion 
detection  capabilities.  And  Internet 
Security  Systems  (ISS)  has  teamed  with 
Nokia  to  turn  out  RealSecure,  an  IDS 


appliance  built  on  Nokia  firewall 
resources. 

FTI,  which  offers  financial  restruc¬ 
turing,  litigation  support  and  engi¬ 
neering/  scientific  investigation  servic¬ 
es,  needed  to  link  all  offices  to  its 
intranet  and  set  up  “war  rooms”  for 
clients  on  a  separate,  secure  extranet. 
The  solution  replaced  a  frame  relay 
network  with  a  Check  Point  virtual  pri¬ 
vate  network  (VPN)  and  Nokia’s  net¬ 
work  security  appliances.  FTI  runs  the 
new  network,  including  client  war 
room  sites,  for  60  percent  less  than  the 
cost  of  a  frame  relay  design,  enabling 
the  firm  to  see  ROI  within  a  year. 

“Many  corporate  security  initia- 


STRATEGIC  DIRECTIONS  17 


CIO  ADVERTISING  SUPPLEMENT 


SECDRITT:  NEW  REALITY  CHECK  I  REAL  S0L0TI0NS 


t 


tives  include  the  implementation  of 
intrusion  detection  systems  through¬ 
out  the  network,”  says  Dan  MacDon¬ 
ald,  vice  president  for  product  man¬ 
agement,  at  Nokia  Internet 
Communications.  “While  implement¬ 
ing  IDS  systems  in  remote  offices  is 
critical  to  achieving  robust  security,  tra¬ 
ditional  approaches  are  not  feasible  due 
to  complex  integration  and  virtually  no 
remote  management  capabilities.” 

SOLUTION:  IDENTITY  MANAGEMENT/ 
SINGLE  SIGN-ON 

Multiplicity  is  doing  a  number  on  the 
ability  of  organizations  to  m  anage  how 


users  are  granted  access  to  information 
and  applications.  User  information 
resides  in  too  many  locations  (databas¬ 
es,  directories,  operating  systems)  and 
gets  managed  by  too  many  different 
utilities  (portals,  access  management 
tools,  platform-specific  admin  tools, 
password  management  tools). 

Technologies  that  enable  IT  staff 
to  centrally  manage  user  accounts  and 
access  rights  across  diverse  IT  environ¬ 
ments  and  platforms  offer  impressive 
ROI.  Gartner  Group  reports  three- 
year  payback  at  triple-digit-percent 
levels,  achieved  chiefly  by  staff  reduc¬ 
tions  in  helpdesk,  security  administra¬ 


tion  and  application  development 
functions. 

Computer  Associates’  /Trust 
Identity  Management  solutions,  for 
instance,  integrates  single  sign-on 
with  a  variety  of  techniques  —  includ¬ 
ing  PKI,  biometrics  and  hardware 
tokens  —  into  a  user  management 
process  that  spans  applications  and 
environments,  cuts  costs  via  Web- 
based  self-administration,  and  stays 
flexible  because  of  an  extensible  iden¬ 
tity  directory. 

The  payback  can  be  significant.  A 
study  conducted  by  Gartner  and  spon¬ 
sored  by  Ernst  &  Young  LLP, 


EMERGING  TECHNOLOGIES,  EMERGING  RISKS 


The  rapid  growth  of  electronic  business  processes  and  the 
technology  to  support  them  has  introduced  a  new  level  of 
complexity  to  managing  security  enterprisewide,  says  Brian 
Bilodeau,  vice  president  for  data  movement  solutions  at 
Sterling  Commerce.  “Not  only  do  processes  span  business 
units  within  an  organization,”  he  says,  “but  they  also  extend 
outside  to  include  customers,  suppliers,  financial  institutions, 
business  partners,  governmental  and  regulatory  agencies, 
and  other  constituencies.” 

That’s  not  all.  Extended  business  processes  involve  shar¬ 
ing  of  data  among  the  participating  constituencies  and  soft¬ 
ware  applications  that  implement  elements  of  a  business 
process,  Bilodeau  notes.  Implementing  an  electronic  business 
process  requires  CIOs  to  build  an  infrastructure  that  enables 
the  automated  movement  of  data  while  addressing  all  the 
requirements  for  securing  data. 

Bilodeau  points  to  the  use  of  FTP  for  ad  hoc  transfer  of 
business  data.  Even  when  users  encrypt  the  data  before 
transferring,  the  use  of  FTP  creates  a  high  security  risk 
because  security  information,  such  as  user  IDs  and  pass¬ 
words,  is  often  stored  and  transmitted  in  clear  text.  “CIOs  and 
CSOs  must  look  for  ways  to  secure  the  use  of  FTP  within  their 
enterprise,”  Bilodeau  says. 

Here  are  some  suggestions  for  securing  some  of  the  pop¬ 
ular  new  technologies: 

SECURE  DATA  EXCHANGE 

A  range  of  options,  from  classic  electronic  data  interchange 
(EDI)  to  Internet-based  data  interchange  with  or  without 


added  capabilities  (such  as  project  management)  are  avail¬ 
able  from  providers  like  Global  exchange  Services,  Inovis, 
Sterling  Commerce  and  QRS  Corp. 

Sterling  Commerce’s  Connect:Direct  offerings,  for 
instance,  feature  assured  data  delivery,  checkpoint/restart, 
cryptographic  suite  for  authentication,  encryption  and  data 
integrity,  firewall  navigation  and  data  compression. 

Others,  such  as  Sigaba,  offer  secure  messaging  solutions 
with  configurable  policies  that  permit  administrators  to 
determine  which  messages  are  encrypted,  archived  or  flagged 
for  further  review. 

CONTROL  I.M.  OR  EXTERMINATE  IT 

The  immense  popularity  of  instant  messaging  and  other  peer- 
to-peer  technologies  puts  pressure  on  IT  staff  to  do  something 
about  the  security  challenges  they  pose.  By  2006,  says  IDC, 
almost  half  of  the  506  million  IM  users  will  be  in  businesses.  Yet 
widely  used  IM  freeware  (from  AOL,  Microsoft,  Yahoo)  is  virtu¬ 
ally  unsecured.  They  transmit  data  in  the  clear;  they  bypass 
firewalls,  antivirus  scanners  and  intrusion  detection  systems. 
You  can  try  to  keep  IM  use  in-house  (good  luck).  Network  intru¬ 
sion  detection  systems  can  be  used  to  monitor  all  traffic  tra¬ 
versing  a  firewall  and  spot  known  IM  traffic  patterns.  Network 
recording  systems,  such  as  those  from  Sandstorm  or  Niksun, 
can  also  do  the  trick. 

Or  insist  that  an  enterprise-oriented  IM  solution  —  such 
as  IBM’s  Lotus  Sametime  or  Sigaba’s  Secure  IM  —  be  used. 
These  build  encryption,  authentication  and  LDAP  integration 
into  the  IM  solution. 


18  STRATEGIC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  I  REAL  SOLUTIONS 


Microsoft,  Netegrity  and  Protiviti  con¬ 
cluded  that  a  business  of  10,000 
employees  deploying  an  automated 
provisioning  solution  could  see  an  ROI 
approaching  300  percent  and  savings 
of  $3.5  million  in  three  years.  A  busi¬ 
ness  with  50,000  employees  imple¬ 
menting  an  extranet  access  manage¬ 
ment  solution  can  expect  an  ROI  of 
375  percent  in  three  years. 

Real-world  results  are  impressive, 
too.  A  survey  of  145  U.S.  companies 
by  Nervewire  found  that  38  percent 
anticipate  a  fivefold  return  on  their 
identity  management  solution  invest¬ 
ments,  thanks  mostly  to  achieving 
improved  customer  service,  which  pro¬ 
duces  higher  customer  satisfaction  and 
better  customer  retention. 

SOLUTION:  THREAT  MANAGEMENT 
SYSTEMS. 

“Many  organizations  of  all  sizes  have 
been  overwhelmed  with  security  man¬ 
agement  and  the  difficulties  in  pro¬ 
tecting  themselves  across  the  extend¬ 
ed  enterprise  in  a  cost-effective 
manner,”  says  Tom  Noonan,  chair¬ 
man,  president  and  CEO  of  Internet 
Security  Systems  (ISS). 

“The  best  approach  to  security 
enables  organizations  to  proactively 
protect  against  potential  security  risks 
when  vulnerabilities  are  first  discovered 
and  before  threats  can  become  active 
attacks,”  says  Noonan.  “The  result  is 
more  effective  resource  planning  and 
timely  response  to  both  known  and 
unanticipated  threats  with  minimal 
impact  on  production  systems  or  daily 
business  operations.” 

All  the  events  reported  by  all  secu¬ 
rity  systems  have  been  gathered  and 
distilled  manually  for  some  time.  But 
the  volume  and  complexity  of  security 
data  makes  such  manual  event  correla¬ 
tion  impossibly  costly. 

Security  information  management 
systems  work  in  the  background  24/7 


CASE  STUDY 


e  put  a  tremendous 
emphasis  on  security, 


David 


banks 


says 


McCampbell,  senior 
vice  president  and 


CTO  at  Magnet  Communications,  a  provider  of 
Web-based  cash  management  and  business 
banking  solutions  to  the  nation’s  top-perform¬ 
ing  financial  institutions. 

Not  surprisingly,  security  was  a  critical  ele¬ 
ment  McCampbell  and  his  team  used  to  evalu¬ 
ate  the  software  it  needed  to  support  Magnet’s 
ASP  business.  After  an  in-depth  review,  reports 
McCampbell,  Magnet  chose  Sterling 
Commerce’s  Connect:Direct  (a  peer-to-peer 
file-based  integration  software  solution)  and 
Connect:Direct’s  highly  versatile  Secure-*- 
Option  for  data  confidentially,  message  integrity, 
server  authentication  and  client  authentication. 

BEYOND  A  SHADOW  OF  A 
DOUBT 

“Secure+  is  a  key  component  of 
ConnectDirect  for  us  and  for  many  of  our 
client  banks,”  says  McCampbell.  “With 
Secure+,  we  know  —  and  our  client  banks 
know  —  that  data  is  in  the  most  secure  fash¬ 
ion  when  it’s  being  transferred  by  Internet  or 
over  frame  relay.” 

According  to  McCampbell,  Secure-*-  pro¬ 
vides  “plenty  of  mutual  authentication”  by 
making  use  of  such  technologies  as  digital  sig¬ 
natures  and  SSL  for  data  encryption. 

“So,  if  I’m  sending  data,  you  know  and  I 
know  that  you  and  I  are  talking  to  each  other; 
in  other  words,  I  know  you’re  the  only  one  see¬ 
ing  it,”  he  explains. 

Moreover,  he  says,  Secure+’s  use  of 
industry  accepted  hashing  algorithms  make  it 
impossible  to  tamper  with  the  data  as  it’s 
being  transmitted. 

“This  is  critical  financial  information  being 


David  E.  McCampbell 
Senior  vice  president  and  CTO 
Magnet  Communications 

transmitted  between  Magnet  and  our  client 
banks  —  multimillion-dollar  wire  transfers, 
stop  payments,  balance  information,  payroll 
and  tax  information  —  and  we  must  be  able  to 
ensure  beyond  a  shadow  of  a  doubt  that  no 
tampering  has  occurred  during  the  transmis¬ 
sion  and  transfer  of  the  data.  Secure-*-  gives 
us  that  confidence.” 

Magnet,  which  has  been  using  the 
Connect:Direct  and  Secure-*-  combination 
since  2000,  is  extremely  pleased  with  the  per¬ 
formance  of  Sterling  Commerce’s  products. 

“We’ve  seen  no  degradation  in  service;  it 
just  hasn’t  been  an  issue.  Performance  has 
been  great,  very  efficient,  very  reliable  and 
there  hasn’t  been  much  in  the  way  of  on-going 
maintenance,”  he  says. 

McCampbell,  however,  saves  his  greatest 
praise  for  Sterling  Commerce’s  support. 

“They  excel  at  training,  act  like  a  partner 
not  a  vendor,  and  take  responsibility  for  quick¬ 
ly  addressing  any  issues  that  arise  —  you 
can’t  ask  for  much  more,”  he  says. 

For  more  information,  contact  Sterling 
Commerce  at 

www.steriingcommerce.com. 


STRATEGIC  DIRECTIONS  19 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  I  REAL  SOLUTIONS 


doing  dynamic  risk  correlation  —  con¬ 
solidating  all  security  data  and  translat¬ 
ing  inputs  into  a  homogenous  set  of 
events  that  are  analyzed  with  an  assort¬ 
ment  of  techniques  to  identify  threat 
conditions.  Because  these  automated 
systems  can  handle  many  inputs, 
defense  in  depth  and  breadth  is  feasi¬ 
ble.  And  because  IT  staff  get  results  in 
real  time,  threat  intervention  can  be 
timely  and  effective.  Furthermore,  the 
comparative  metrics  generated  enable 
early  detection  of  changing  conditions 
and  patterns. 

ISS’s  RealSecure  SiteProtector,  for 
instance,  combines  intrusion  detection, 
prevention  and  response  as  well  as  vul¬ 
nerability  assessment,  policy  compli¬ 
ance,  and  data  collection  and  analysis 
—  all  of  which  is  accessible  via  a  cen¬ 
tralized,  policy-based  management 
console. 

SOLUTION:  INTEGRATED  SECURITY 
MANAGEMENT 

The  complex  heterogeneous  network 
and  application  environments  that  are 
necessary  for  empowering  e-business 
have  spawned  equally  intricate  security 
and  management  processes.  Imple¬ 
menting  security  policies  across  such 
environments  while  maintaining  an 
appropriate  balance  between  business 
performance  and  risk  mitigation  is 
proving  difficult.  Moreover,  in  too 
many  organizations,  managing  user 
access  rights  means  juggling  multiple 
directories,  user  lists,  password  lists, 
application  access  lists  and  password 
reset  activities. 

“CIOs  and  CSOs  are  suffering 
from  security  information  management 
overload,”  says  Toby  Weiss,  senior  vice 
president  for  cTrust  Security  Solutions 
at  Computer  Associates.  “Millions  of 
messages  from  firewalls,  VPNs,  antivirus 
products,  access  control  products,  direc¬ 
tories,  etc.,  cause  them  to  suffer  from  a 
signal-to-noise  problem.”  SD 


THE  VALUE  OF  PRIVACY 

WHILE  PROTECTING  YOUR  ASSETS,  BE  SURE  TO 
RESPECT  YOUR  CUSTOMERS’  PRIVACY,  TOO 

Stories  abound  of  organizations  tempted  by  all  that  customer  information 
into  violating  their  customers’  trust  —  even  if  they  figure  out  ways  around 
corporate  privacy  policy.  The  stories  generally  end  badly  for  the  organiza¬ 
tions,  leading  to  the  conclusion  that  not  respecting  customer  preferences 
about  how  their  information  is  used  too  often  turns  into  a  costly  mistake. 
Similarly,  not  protecting  that  information  sufficiently  can  also  be  costly. 
Customer  fears  about  privacy  are  starting  to  shape  their  purchasing  deci¬ 
sions.  IBM  found  in  a  recent  study  that  54  percent  of  U.S.  consumers  have 
chosen  not  to  buy  something  from  a  company  because  they  were  unsure 
about  how  their  personal  information  would  be  used,  and  70  percent  want  to 
see  a  website’s  privacy  notice  before  buying. 

“To  maintain  a  positive  reputation  and  trust  between  organization  and 
customers,  enterprises  must  make  privacy  a  top  priority,”  says  Jim  Dunn, 
network  manager  at  Citywide  Banks  in  Aurora,  Colo. 

“CIOs,  CSOs,  and  their  companies  should  think  of  their  customers  first, 
before  any  legal  responsibility,”  Dunn  says.  “This  should  be  first  and  fore¬ 
most  for  any  company  that  respects  their  customers  and  wants  to  foster 
trusted  long-term  relationships  with  them.” 

Dunn  notes  that  SEC  and  regulations  such  as  HIPAA  for  health-care 
organizations  and  the  Gramm-Leach-Bliley  (GLB)  Act  in  the  financial  servic¬ 
es  sector  mandate  that  effective  privacy  measures  be  put  in  place,  and 
companies  are  being  audited  on  their  compliance  —  with  stiff  penalties 
being  imposed  for  failure  to  comply. 

Cultivating  trust  begins  with  an  information  privacy  policy  that 
respects  customer  preferences.  Some  considerations: 

Opt-out  defaults  indicate  greater  concern  for  customer  wishes  than 
more  aggressive  opt-in  defaults  that  assume  customers  grant  permission 
for  further  contact  (the  consolation:  when  customers  choose  to  opt  in, 
they’re  likelier  to  respond  to  contact). 

Frequent  communication  with  customers  helps  ensure  that  informa¬ 
tion-use  practices  remain  acceptable. 

Regular  audits  make  it  easier  to  track  what  data  is  being  gathered,  how 
it’s  used,  and  how  it’s  secured. 

Dunn  suggests  using  a  combination  of  policy  and  technology.  For  exam¬ 
ple,  each  document  can  be  sent  with  a  notice  that  the  recipient  is  responsi¬ 
ble  for  maintaining  the  privacy  and  confidentiality  of  the  message.  The 
administrator  can  also  set  a  policy  that  the  message  cannot  be  stored  in 
decrypted  form,  thus  reducing  the  possibility  that  an  unauthorized  recipi¬ 
ent  could  gain  access.  In  addition,  if  a  key  server  is  being  used  in  secure  doc¬ 
ument  delivery,  the  key  can  be  set  to  expire  after  a  given  period  of  time. 


20  STRATEGIC  DIRECTIONS 


ADVERTISING  SUPPLEMENT 


SECURITY  SOLUTIONS  CENTER 


BAI  Security 
Contact:  Steve  Thompson 
E-Mail:  8thompson@baisecurity.net 
Phone:  (630)  579-8870  x104 

www.baisecurity.net 

BAI  Security  -  is  a  Managed  Security  Services  Provider  (MSSP). 
Since  1994,  BAI  Security  has  been  providing  customers  with  a  full 
suite  of  information  security  services  which  include  Managed 
Firewall,  Intrusion  Detection,  Web/Email  Content  Filtering,  AntiVirus, 
and  Penetration  /  Vulnerability  Audit  Services.  BAI  Security  pro¬ 
vides  support  for  customers  on  a  local,  national,  and  international 
basis.  Schedule  Your  2003  Information  Security  Audit  Today! 


BAI  SECURITY 


red  siren* 

Security.  Integrity.  Trust." 


RedSiren 

Contact:  RedSiren  Sales 
E-Mail:  sales@redsiren.com 
Phone:  (877)  360-7602 


www.redsiren.com 

RedSiren,  the  world’s  largest  privately  held  provider  of  IT  security  manage¬ 
ment,  provides  enterprises  with  a  higher  level  of  security  by  protecting  their 
computer  networks  and  corporate-critical  information  from  unauthorized 
access.  RedSiren  specializes  in  the  analysis  and  design  of  security  strate¬ 
gies,  security  awareness  training,  vulnerability  and  security  technology  man¬ 
agement  and  the  defense  of  corporate  networks. 


Bodacion  Technologies 

18-3  E.  Dundee  Road,  Suite  300,  Barrington,  IL  60010 

Contact:  Jenny  Franzese 

E-Mail:  sales@bodacion.com 

Phone:(847)  842-9008  Fax:(847)  842-1731 


www.bodacion.com 


Bodacion  Technologies  has  created  HYDRA,  a  secure  Web  services  appli¬ 
ance  built  from  the  ground  up  to  be  totally  secure,  highly  reliable,  and 
require  near  zero  maintenance.  HYDRA  is  unlike  any  other  web  appliance, 
offering  the  advantages  of  a  real-time  embedded  device  with  unparalleled 
security  and  reliability. 


iverhead 

networks 


Riverhead  Networks 
E-Mail:  info@riverhead.com 
Phone:  (408)  253-5700 


www.riverhead.com 

Riverhead  Networks  delivers  solutions  that  block  all  known — and 
previously  unseen— DDoS  attacks  without  impacting  legitimate 
business  operations.  Based  on  a  unique  Multi-Verification  Process 
(MVP)  architecture,  Riverhead  solutions  use  patent-pending  algo¬ 
rithms  to  automatically  detect  DDoS  assaults  and  block  only  spe¬ 
cific  attack  flows,  allowing  legitimate  business  traffic  to  flow  freely. 


eEye®  Digital  Security 
E-Mail:  sales@eeye.com 
Phone:  (866)  339-3732  x1 


www.eeye.com 

A  leading  developer  of  proactive  enterprise  security  software  and 
an  active  contributor  to  network  security  research,  eEye’s  RetinaR 
Network  Security  Scanner  is  rated  as  the  industry’s  #1  vulnerabili¬ 
ty  assessment  solution.  Other  offerings  include  SecurellST  Web 
Server  Protection,  IrisR  Network  Traffic  Analyzer,  REMT  Remote 
Enterprise  Management,  and  BlinkT  Intrusion  Prevention  System. 


INGRIAN  Ingrian  Networks 

networks  E-Mail:  inquipies@ingrian.com 

Toll  Free:  (866)  INGRIAN 
Main:  (650)  261-2400 

www.ingrian.com  ^ax:  (®^0)  261-2401 

Ingrian™  Networks  delivers  on  the  promise  of  e-Transaction 
Privacy™,  enabling  forward-looking  businesses  to  protect  their 
applications  and  data  in  transit  across  the  Internet  and  in  storage 
within  the  enterprise.  The  company’s  security  solutions  ensure 
complete,  end-to-end  privacy  of  all  Web-based  transactions, 
including  e-commerce,  e-mail,  ERP,  and  more. 


Sigaba 

E-Mail:  sales@sigaba.com 
Main:  (650)  572-6100 
Toll  Free:  (800)  475-8226 

www.sigaba.com 

Sigaba  Secure  Email,  Secure  Statements  and  Secure  Instant 
Messaging  are  the  most  flexible  and  easy-to-use  solutions  for 
securing  corporate  and  government  communications  on  the 
Internet  and  wireless  networks.  Secure  messages  can  be  sent  to 
virtually  anyone,  without  requiring  the  recipient  to  install  any 
special  software. 


For  more  information  and 
up  to  date  security  research  and 
resources  please  go  to: 
www.cio.com/research/security 
or  csoonline.com 

For  additional  customer  success 
stories  please  visit: 
www.cio.com/limitedbrands 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK  I  TIE  SECI1ITY  STRATEGY  IMPERATIVE 


Continued  from  page  6 

Internet  Security  Systems,  Computer 

Associates,  and  Foundstone. 

CREATING  A  SECURITY  POLICY 

You’ll  need  operational  policies  that 
are  customized  to  your  organization’s 
business  requirements,  so  you’ll  have 
a  set  of  rules-based  standards  for  man¬ 
aging  infrastructure  and  handling 
events. 

Such  policies  should  delve  into 
some  detail  and  include  rules  about 
such  issues  as  which  services  to  disable, 
which  operating  systems  (OSs)  to 
harden  and  which  systems  the  network 
can  access. 

Make  sure  you  know  that  policies 
are  being  followed.  Assessment  tools, 


such  as  Internet  Security  System’s 
Scanner  offerings,  can  help  spot  prob¬ 
lems  and  send  alerts.  Computer  Asso¬ 
ciate’s  ^Trust  Policy  Compliance  mon¬ 
itors  systems  and  databases,  and 
provides  auditing  and  correction  of 
security  breaches. 


“My  advice,”  says  Toby  Weiss, 
senior  vice  president  for  /Trust  securi¬ 
ty  solutions  at  Computer  Associates, 
“is  to  build  off  of  best  practices,  con¬ 


stantly  review  the  policy  and  audit,  and 
assess  its  enforcement.”  Most  compa¬ 
nies  have  a  corporate  policy  document, 
but  the  challenge  is  how  to  turn  that 
document  into  IT  security  policy,  auto¬ 
matically  enforce  and  audit  that  policy, 
and  loop  back  and  improve  the  policy. 


Ancient  military  wisdom  can  be 
grimly  simple:  Several  tiers  of  defense 
are  better  than  one. 

This  means  planning  not  only  for 


CAN  BE  GRIMLY  SIMPLE: 


ARE  BETTER  THAN  ONE. 


BUSINESS  CONTINUITY: 

THE  DARK  SIDE  OF  SECURITY  PLANNING 


Of  the  more  than  $40  billion  that  insurance  companies 
paid  out  because  of  the  September  11  attacks,  more  than 
25  percent  —  $11  billion  —  was  for  claims  relating  to  busi¬ 
ness  interruption. 

Some  industry  experts  say  that  among  organizations 
that  suffer  significant,  sustained  disasters,  20  percent  are 
completely  out  of  business  within  24  months. 

Yet  many  companies  simply  don’t  have  disaster 
recovery/business  continuity  plans.  Many  of  those  who  do 
have  allowed  them  to  become  out  of  date.  Still  other  plans 
have  dangerously  ignored  key  human  factors. 

To  ensure  your  organization’s  survivability,  you’ll 
need  a  business  continuity  plan  that  is: 

■  Based  on  the  best  possible  understanding  of  the  surviv¬ 
ability  risks  faced  by  your  organization.  This  includes 
reviewing  assumptions  about  the  risks  your  enterprise 
faces,  and  don’t  forget  about  partners,  suppliers,  cus¬ 


tomers.  Since  organizations’  security  requirements  are 
unique,  Robert  Francis  Group  recommends  that  CIOs  and 
CSOs  develop  business  application  profiles  that  define 
security  requirements  for  each  application  or  area, 
including  database,  file,  e-mail  and  Web  servers. 

■  Up  to  date  and  comprehensive,  identifying  and  tackling 
all  potential  points  of  failure. 

■  Addressing  technology  issues  in  terms  of  business  oper¬ 
ations.  These  include  rapid  restoration  of  operations,  crit¬ 
ical  technologies  and  personnel. 

■  Developed  with  the  input  and  support  of  line-of-business 
managers  and  key  constituencies,  since  the  plan  will  be 
expected  to  work  across  the  organization,  not  just  among 
IT  staffers. 

■  Tested  and  refined  —  and  then  regularly  re-tested  and 
re-refined  thereafter,  especially  with  every  substantive 
change  in  infrastructure  and  processes.  Expect  to  modify 
vendor  relationships  along  the  way. 


22  STRATEGIC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


SECURITY:  NEW  REALITY  CHECK 


THE  SECURITY  STRATEGY  IMPERATIVE 


multiple  layers  of  carefully  positioned 
and  configured  security  technology 
solutions  at  both  the  host  and  network 
level  —  such  as  firewall,  intrusion  detec¬ 
tion  systems  and  antivirus  software  —  it 
also  means  layering  authentication  pro¬ 
cedures;  continuously  monitoring  and 
patching  systems  networks  and  applica¬ 
tions;  and  handling  people  (paying 
attention  to  the  discontented,  for 
instance). 

PROTECTING  YOUR  ASSETS 

“Face  it,”  says  MIT’s  Foss,  “people 
write  software  programs  and  people 
make  mistakes.  There  will  always  be 
security  issues  in  software.” 

The  question,  then,  is  how  to  keep 
them  from  doing  harm. 

Meta  Group’s  Byrnes  has  these 
suggestions: 

■  BUILD  DESIGN  STANDARDS  for  various 
identified  security  level  requirements. 
Development  teams  should  self-certify 
against  the  design  standards  for  that 
level. 

■  APPLICATION  DEVELOPMENT  TEAMS 
SHOULD  USE  DEFINED  METHODS  for  gath¬ 
ering  security-level  information  from 
application  owners  in  the  business 
units. 

■  EITHER  THE  INFORMATION  SECURITY 
DEPARTMENT  OR  INTERNAL  AUDIT  SHOULD 
SPOT  CHECK  for  compliance. 

■  PRE-PRODUCTION  Q.A.  TESTING  SHOULD 
INCLUDE  COMMON  SECURITY  FAILURE 
TEST. 

The  bottom  line  of  security  strate¬ 
gy:  Think  ahead. 

“Don’t  just  think  about  what  you 
need  today,”  suggests  Jim  Dunn,  net¬ 
work  manager  of  Citywide  Banks  in 
Aurora,  Colo.  “Think  about  what  you’ll 
need  years  down  the  road  as  you  grow 
and  become  more  sophisticated,  so  that 
you  can  leverage  your  existing  invest¬ 
ments  and  scale  them  broadly  and  for 
many  more  uses.”  8D 


COMPANY  PROFILE 


I  ■HnPBPgHMB 


FOR 


i  > 


ecurity  is  hard.  It  requires 
tremendous  technical  expert¬ 
ise,  is  expensive  to  do  well 
and  is  rarely  part  of  an  orga¬ 
nization’s  core  business 
model.  In  addition,  the  online 
threat  spectrum  continues  to  evolve  with 
sophisticated  hybrid  attacks  that  can  circum¬ 
vent  firewalls  and  antivirus  technology. 

No  one  doubts  the  need  for  secure  online 
business  operations.  The  challenge  is  how  to 
do  so  efficiently  and  effectively.  That’s  where 
the  Dynamic  Threat  Protection  approach  pro¬ 
vides  a  clear  advantage  over  other  security 
methods. 

TO  PROACTIVELY  PROTECT  AND 
SECURE 

The  Dynamic  Threat  Protection  approach  is 
the  natural  evolution  of 
Internet  Security  Systems’ 

(ISS)  market-leading  vul¬ 
nerability  assessment, 
intrusion  detection  and 
security  knowledge  offer¬ 
ings.  After  all,  effective 
protection  requires  the 
best  analysis,  detection 
and  response  possible. 

Dynamic  Threat  Protection  enables  com¬ 
panies  to  proactively  protect  against  potential 
security  risks  when  vulnerabilities  are  first 
discovered  and  before  threats  become  active 
attacks.  This  combination  improves  the  value 
of  each  security  dollar  invested,  especially 
for  extended  enterprises  with  many  gateway 
devices,  a  lot  of  remote  or  mobile  workers, 
and  a  strong  need  for  centralized  administra¬ 
tion  and  control. 

Dynamic  Threat  Protection  requires  three 
essential  steps.  Implement  best-in-ciass  pro¬ 
tection  technology.  Deploy  that  technology 


© 

INTERNET 

SECURITY 

Systems 


with  platform  coverage  across  the  entire 
enterprise.  Establish  up-to-date  readiness  to 
combat  new  threats. 

KEY  ADVANTAGES  OVER 
MANUAL  AND  POINT 
SOLUTIONS 

This  approach  leads  to  three  key  advantages 
over  the  manual  methods  and  disparate  point 
solutions  prevalent  in  the  marketplace  today: 

■  ACCURACY  —  The  Dynamic  Threat 
Protection  approach  rapidly  and  accurately 
detects  attacks  and  minimizes  false  positives. 

■  PERFORMANCE  —  Dynamic  Threat 
Protection  offerings  operate  at  increasingly 
rapid  line  speeds  across  the  network,  and 
scale  from  workgroups  to  multinational 
organizations  with  many  locations. 

■  LOW  TOTAL  COST  OF  OWNERSHIP  (TCO) 

—The  Dynamic  Threat 
Protection  approach  sig¬ 
nificantly  lowers  TCO  by 
minimizing  the  need  for 
manual  intervention  in  the 
security  process  and 
automating  the  discovery 
and  repair  of  potential  vul¬ 
nerabilities. 

Available  only  through 
ISS  and  its  partners,  products  and  services 
based  on  the  Dynamic  Threat  Protection 
approach  give  security  staff  the  ability  to 
quickly  concentrate  efforts  on  the  most 
urgent  issues.  The  end  result  is  more  effec¬ 
tive  resource  planning  and  timely  response  to 
both  known  and  unanticipated  threats  with 
minimal  impact  on  production  systems  or 
daily  business  operations. 

To  learn  more  about  Internet  Security 
Systems  and  Dynamic  Threat  Protection, 
please  visit  www.iss.net  or  call  888.901.7477. 


STRATEGIC  DIRECTIONS  23 


In  a  world  where  there’s  a  different  kind  of  threat  every  day,  you  need  a  different  kind  of  security. 

New  threats  can  blow  right  through  any  firewall  or  anti-virus  software.  That's  where  we  come  in.  Our  dynamic  protection 
helps  you  conduct  business  safely  in  the  face  of  ever-changing  threats  and  increased  risk.  From  proactive  research  and 
award-winning  software  to  24/7  protection  and  response  services,  our  solutions  detect,  prevent  and  respond  to  online 
attacks  and  misuse.  No  matter  who  you're  up  against.  To  learn  more,  call  800-776-2362.  Or  visit  www.iss.net/ad/ciomag. 


<s 

Internet 

Security 

Systems” 


-CIO  of  a  $7  billion 
insurance  company 


II  am  getting  tremendous 
value  out  of  the  board-level 
presentations  I  have  down¬ 
loaded  from  Select.” 

t 

-CIO  of  a  $3  billion 
manufacturer 


CIO  Select  is  an  exclusive 
networking  program  that 
helps  CIOs  share  ideas, 
documents  and  advice. 


Membership  in  CIO  Select  is  reserved  for  CIOs 
of  midsize  to  large  organizations. 


he  Select  Member  CIO 
you  put  me  in  touch  with 
'Was  knowledgeable, 
(forthcoming  and  extremely 
Ihelpful.  His  shop  and 
iours  have  much  in  common, 
"the  call  was  excellent!” 


BENEFIT  FROM  THE  EXPERIENCE  OF  YOUR 
PEERS -JOIN  CIO  SELECT. 


.hart 


ClOSelect 


For  Information  and  Membership  Pricing: 

Contact  Martha  Heller,  Director,  CIO  Select, 
at  508.988.6738  or  mheller@do.com  or 
via  www.cio.com/community/select.html. 


AN  EXCLUSIVE  PEER  SERVICE  FOR  CIOs 


Now,  long  distance,  local  calling  and 
Internet  service  will  be  together.  Voice 
and  data  networks  for  companies  large  and 
small  will  be  together.  The  innovations 
of  one  of  t  he  world's  largest  Internet 
providers  and  the  simplicity  of  one  global 
network  will  be  together.  Under  one  name: 


www.mci.com 


Ron  Kifer,  vice  president  of  program  management  at  DHL  Americas,  is  a  veteran  of  the  typical  project 

and  portfolio  planning— or  lack  of  planning— process  in  many  com¬ 
panies.  “The  last  three  organizations  I’ve  been  in  had  the  same 


Reader  ROI 

Why  portfolio  management  is 
a  key  tool  for  CIOs  now 

Tips  from  leading  practitioners 
on  how  to  do  it 


scenario.  They  didn’t  have  defined  processes  for  reviewing  project 
proposals;  projects  were  pretty  much  recommended  by  senior  vice 
presidents  in  each  business  area,”  he  says.  “They  were  attempting  to 
do  many  more  projects  than  they  had  the  capacity  to  do.  Bad  projects 
squeezed  out  good  projects.  There  was  no  visibility  of  what  was 
being  done  throughout  the  organization.” 


The  payoffs  and  challenges  of 
doing  it  right 


That  s  a  recipe  for  disaster.  At  a  time  when  CEOs  are  demanding 
that  technology  investments  return  value,,  CIOs  who  don’t  have  control 


56  CIO  MAY  1,  2003  •  www.cio.covn 


IPlHST-S  SC"  SgSSh"  :,g;K.,-T 


0  0mm 


■HP* 


Ron  Kifer,  VP  of  program  management 
at  DHL  Americas,  says  one  of  his  first 
tasks  in  gaining  control  of  IT  portfolio 
activities  was  to  create  a  project  inven 
tory  and  put  it  into  a  master  schedule. 


Cover  Story  |  Portfolio  Management 

over  their  IT  project  portfolios  are  fighting 
losing  battles.  Surprisingly,  that’s  a  good 
number  of  you:  A  recent  report  by  AMR 
Research  contends  that  as  many  as  75  per¬ 
cent  of  IT  organizations  have  little  oversight 
over  their  project  portfolios  and  employ  non- 
repeatable,  chaotic  planning  processes. 

But  if  you’re  not  doing  it  already,  portfolio 
management  can  help  you  gain  control  of 
your  IT  projects  and  deliver  meaningful 
value  to  the  business.  Portfolio  management 
takes  a  holistic  view  of  a  company’s  overall 
IT  strategy.  Both  IT  and  business  leaders  vet 
project  proposals  by  matching  them  with  the 
company’s  strategic  objectives.  The  IT  port¬ 
folio  is  managed  like  a  financial  portfolio; 
riskier  strategic  investments  (high-growth 
stocks)  are  balanced  with  more  conservative 
investments  (cash  funds),  and  the  mix  is  con¬ 
stantly  monitored  to  assess  which  projects 
are  on  track,  which  need  help  and  which 
should  be  shut  down. 

But  it’s  all  in  the  execution.  Jeff  Chasney, 
executive  vice  president  of  strategic  planning 
and  CIO  at  CKE  Restaurants,  notes  that 
“some  companies  do  it  poorly  and  some  do 
it  well.”  The  companies  profiled  in  this  story 
reveal  their  best  practices  for  doing  it  well. 

Why  You  Need  Portfolio 
Management 

Think  about  how  IT  investments  are  man¬ 
aged  in  your  company;  do  any  of  the  follow¬ 
ing  scenarios  ring  true?  Million-dollar 
projects,  which  may  or  may  not  match  the 
company’s  objectives,  are  awarded  to  busi¬ 
ness  units  headed  by  the  squeakiest  execu¬ 
tives;  weak  IT  governance  structures  mean 
that  business  executives  don’t  have  clear  ideas 
of  what  they’re  approving  and  why;  the  CIO 
ends  up  selling  projects  that  should  be  gener¬ 
ated  and  sold  by  line-of-business  heads;  the 
company  doesn’t  build  good  business  cases 
for  IT  projects  or  it  doesn’t  do  them  at  all; 
and  there  are  redundant  projects. 

A  strong  portfolio  management  program 
can  turn  all  that  around  and  do  the  following: 

■  Maximize  value  of  IT  investments  while 
minimizing  the  risk 

■  Improve  communication  and  align- 

58  CIO  MAY  1,  2003  •  www.cio.com 


Powerful  Portfolios 

Good  portfolio  management 
requires  both  a  30,000-foot  view 
and  a  picture  from  ground  level 


Figure  1 


The  High-Level  View— The  Portfolio  Pyramid 


The  IT  portfolio  at  the  highest  levei  can  be  categorized  into  several  investment 
classes.  In  the  MIT  model,  the  portfolio  pyramid  rests  on  a  base  of  infrastructure 
investments.  The  next  layer  is  transactional  systems,  which  depend  on  a  reliable 
infrastructure.  At  the  pinnacle  are  information-producing  technologies  and 
strategic-cla  ss  systen  is 


The  Four  Asset  Classes— Risk  Versus  Reward 


INFRASTRUCTURE 

These  investments  provide  a  shared  and  standardized  base  of  capability  for  the  enterprise 
and  lead  to  greater  business  flexibility  and  integration.  Infrastructure  investments  are 
moderately  risky  because  of  their  technologies’. long  life-spans  and  technical  uncertainty. 


TRANSACTIONAL 

These  I X  initiatives  process  and  automate  the  basic  transactions  of  a  company.  They  are 
intended  to  reduce  costs  and  boost  productivity  and  boast  an  average  internal  rate  of  return 
of  25  percent  to  40  percent.  These  investments  have,  the  least  risk  of  the  four  classes. 


INFORMATIONAL 

These  systems  provide  information  for  managing  a  company.  Their  payoff  comes  from 
shorter  time-to-market,  superior  quality  and  the  ability  to  set  premium  prices.  They  are 
moderately  risky  because  companies  often  have  difficulty,  acting  on  information  to' 
generate  business  value. 


STRATEGIC 


These  investments,  almost  always  external-facing  systems,  pay  off  in  sales  growth, 
competitive  advantage  and  stronger  market  positioning.  But  they  are  the  riskiest  of  the 
classes:  10  percent  will  produce  spectacular  results,  but  50  percent  will  fail  to  break  even. 


Three  Custom  Portfolios 


Company  IT  portfolios  in  the  MIT  study  sample  show  different  proportions  of 
total  IT  investment  in  the  four  classes,  depending  on  whether  their  strategic  focus  is 
cost-control,  agility  or  a  balance  of  the  two. 


Ill 


COST-FOCUSED 

PORTFOLIO 


AGILITY 

PORTFOLIO 


BALANCE  COST  & 
AGILITY  PORTFOLIO 


V 


¥ 


13%  5% 

40% 


20%  15% 
15% 


42% 


50% 


SOURCE:  M.l.T.  SLOAN  CENTER  FOR  INFORMATION  SYSTEMS  RESEARCH 


Companies  must  visualize  their  IT 
portfolios  on  multiple  levels  and  at 
different  stages  for  a  true  and  thor¬ 
ough  perspective  of  their  IT  investments.  To 
gain  the  holistic  view  necessary  for  portfolio 
management,  investments  should  be  viewed 
in  aggregate  and  placed  into  categories,  with 
the  percent  of  IT  spend  apportioned  across 
each.  Figure  1  depicts  one  such  model,  devel¬ 
oped  by  Peter  Weill,  director  of  MIT’s  Sloan 
Center  for  Information  Systems  Research, 


and  Marianne  Broadbent,  group  vice  presi¬ 
dent  and  head  of  research  for  Gartner’s 
executive  programs  worldwide,  that  is  based 
on  an  ongoing  study  of  54  companies  in 
seven  countries.  This  model  provides  an 
executive-level  analysis  of  the  enter¬ 
prisewide  IT  investment  and  its  alignment 
with  the  general  strategy  of  the  business. 

Figure  2  shows  a  ground-level  view  of  how 
one  company  monitors  every  aspect  of  its 
portfolio,  from  the  initial  business  case  to 


spending  updates.  Brigham  Young  University 
(BYU)  has  developed  this  tool  to  allow  busi¬ 
ness  and  IT  leaders  to  monitor  projects  and 
facilitate  the  university’s  ongoing  portfolio 
management. 

The  Weill  model  and  the  BYU  tool  are  only 
two  examples  of  the  many  ways  to  look  at  IT 
portfolios  and  projects.  But  they  illustrate 
the  range  of  views  that  are  essential  compo¬ 
nents  of  a  complete  and  effective  portfolio 
management  process. 


Reporta  bug 


Project 


Project^ 
Objective 
State/ent  (POS) 


Upgrade  security  on  plajmrm  OS  imagesfirewall  hardware  by 
October  15,  2003  M 


Policy  compliance  implemented  on  AIX,  WIN2K,  WIN2003,  SUN,  & 
HP-UX.  Access  coifrol  implemented  on  HP-UX  &  SUN.  Audit  is  in 
production  on  3  WIN2K  servers.  Firewall  to  be  installed  after  server 
IP  addresses  m  assigned.  


Project  Status 
Log  Updated: 
03-18-03 


Project 

Coordinator 


Austin  Wright 


Jonathan  Ball 


TIMS  #  762H903U 


Barrett 

Edwards 


Bruce  Steadman 


Product  Sponsor 


University  Sponsor 


Flexibility  Matrix 


Active 

project 


Moderate 


Least 


Schedule 


Firewall  was 


STATUS 


purposely  delayed 
due  to 

ijinterdependancies 
with  other  hardware 
Xipgrades. 


Requires 

Attention 

Cautionary 

Issues 

On  Track 


Baseline 


Deploy 


Develop 


Design 


Analysis 


A  Ground-Level  View— The  Portfolio  Dashboard 


PROJECT 

PERSONNEL 

Key  project  personnel  are 
listed  (“University  Sponsor 
would  be  “Business 
Sponsor”  in  a  company). 


Brigham  Young  University  developed  a  Web-based  tool  that  allows  managers  to  see  a  list  of  projects 
prioritized  by  portfolio  category  at  a  glance.  Project  details  are  just  one  click  away,  allowing  business 
and  IT  leaders  to  monitor  the  ongoing  status  of  projects. 


PROJECT  STATUS 

Clicking  on  the  “Log" 
link  brings  up  past 
status  log  entries. 


SOURCE:  BRIGHAM  YOUNG  UNIVERSITY 


iformation  Technology  -  Your  Organization 


The  Office  of  ii 


Execut  eView 


Resources 


Scope 


PROJECT  LIST 

All  projects  in  a  portfolio 
are  shown  in  order  of 
priority.  Clicking  on  a 
project  link,  in  this  case 
Firewall  Upgrade,  brings 
up  the  information 
shown  at  right. 


PROJECT 

CALENDAR 

The  black  line  across 
the  top  of  the  calendar 
(April  through  Aug.) 


Project  Documer  s 


PMT  Log  Issues  Log  Team  Roster  Project  De'  ion  Project  Plan  Other 


✓ 

1 

V 

2 

V 

3j 

■/ 

4 

V 

5 

V 

6] 

V 

7] 

V 

8j 

V 

9 

Sort  by  TIMS 

BYU 

V 

Application 

Development 

Environment 

BYU 

✓ 

Travel  Reimbursement 
System 

BYU 

V 

Budget  Tools 

'BYU 

V 

PeopleSott 

Implementation 

Orion 

BYU 

V 

Data  Center 
Infrastructure 

Atlas 

'BYU 

V 

IDC  Solutions:  Secure 
Payment  on  the  Web 

BYU 

V 

Enterprise  Linux 

Penguin 

BYU 

V 

Firewall  Upgrade 

Alamo 

BYU 

IDC  Solutions:  Credit 
Card  Processing 

Gateway 

was  the  original  FLEXIBILITY  MATRIX 


schedule;  this  project 
will  take  an  additional 
two  months  to  deploy. 


At  the  beginning  of  the  firewall  project,  the  university  sponsor  said 
that  project  scope  was  least  flexible  and  schedule  was  most  flexible. 
The  project  manager  must  explain  the  reasons  for  a  yellow  or  red 


status. 


Making  important  decisions  is  your  job.  Delivering  the  insight 
to  help  you  make  smarter  decisions  is  ours.  We  are  Microsoft 
Business  Solutions.  With  business  applications  and  services 


//  '  '  .  .  ■  ■  ‘V- ' 

. 

3 

rL _ J 

•  ■  V-  •  >' 

■*  ..ir 

r.  ' 

> 

1 

from  financial  management  to  customer  relationship  management,  we  have  the  experience  and  resources  to  help 
you  succeed  in  an  ever-changing  business  world.  To  learn  more,  visit  microsoft.com/BusinessSolutions/lnsight 

Software  for  the  Agile  Business. 


Microsoft 

Solutions 


Cover  Story  |  Portfolio  Management 


ment  between  IS  and  business  leaders 

■  Encourage  business  leaders  to  think 
“team,”  not  “me,”  and  to  take  responsibil¬ 
ity  for  projects 

■  Allow  planners  to  schedule  resources 
more  efficiently 

■  Reduce  the  number  of  redundant  proj¬ 
ects  and  make  it  easier  to  kill  projects 

All  that  means  more  pennies  in  your  piggy 
bank.  Dennis  S.  Callahan,  executive  vice 
president  and  CIO  of  Guardian  Insurance, 
and  Rick  Omartian,  CFO  of  Guardian’s  IT 
group  and  chief  of  staff,  claim  that  portfolio 
management  has  reduced  their  companies’ 
overall  IT  applications  expenditures  by 
20  percent  and  that,  within  that  spending 
reduction,  maintenance  costs  have  gone 
from  30  percent  to  18  percent.  Eric  Austvold, 
a  research  director  at  AMR  Research,  says 
companies  doing  portfolio  management 
report  saving  2  percent  to  5  percent  annu¬ 
ally  in  their  IT  budgets. 

There’s  no  single  right  way  to  do  IT  port¬ 
folio  management.  Vendors,  consulting  com¬ 
panies  and  academics  offer  many  models,  and 
often  companies  develop  their  own  method¬ 
ologies.  Off-the-shelf  software  is  available 
from  a  variety  of  vendors  (see  “Tools  of  the 
Trade,”  this  page).  But  there  are  plenty  of 
hurdles  to  doing  it  well.  There  are,  however, 
best  practices  and  key  logical  steps  that  can  be 
gleaned  from  organizations  such  as  Brigham 
Young  University  (BYU),  DHL  Americas  and 
Eli  Lilly,  which  have  integrated  portfolio 
management  into  the  fabric  of  IT  manage¬ 
ment,  as  you’ll  see  in  this  story. 

Here  are  the  key  steps  in  creating  and 
managing  your  IT  investment  portfolio. 

Gather:  Do  a  Project  Inventory 

Portfolio  management  begins  with  gather¬ 
ing  a  detailed  inventory  of  all  the  projects 
in  your  company,  ideally  in  a  single  data¬ 
base,  including  name,  length,  estimated  cost, 
business  objective,  ROI  and  business  bene¬ 
fits.  Merrill  Lynch  maintains  a  global  data¬ 
base  of  all  its  IT  projects  using  software 
from  Business  Engine. 

In  addition  to  project  plan  information, 
Merrill  Lynch’s  users — almost  8,000  from 


Asia,  Europe,  India  and  the  United  States — 
add  weekly  updates  on  how  much  time  they 
spend  working  on  projects.  “We  use  that  as 
our  internal  cost  assignment  tool  back  to 
the  business,  so  that  the  business  is  paying 
for  every  technology  dollar  monthly,”  says 
Marvin  Balliet,  CFO  of  global  technology 
and  services. 

When  Kifer  joined  DHL  Americas  as  vice 
president  of  program  management  in  2001, 
one  of  his  first  tasks  was  getting  control  of 
project  portfolio  activities.  He  created  an 
inventory,  put  that  into  a  master  project 
schedule,  gained  an  understanding  of  the 
resource  requirements  of  all  the  projects, 
then  did  a  reconciliation  of  the  projects  and 


reduced  the  schedule  to  a  manageable  level. 

Creating  a  project  portfolio  inventory  can 
be  painstaking  but  is  well  worth  the  effort. 
For  many  companies,  it  may  be  their  first 
holistic  view  of  the  entire  IT  portfolio  and 
any  redundancies.  A  good  inventory  is  the 
foundation  for  developing  the  projects  that 
best  meet  strategic  objectives. 

Evaluate:  Identify  Projects  That 
Match  Strategic  Objectives 

The  next  steps  involve  establishing  a  port¬ 
folio  process.  The  heads  of  business  units, 
in  conjunction  with  the  senior  IT  leaders  in 


each  of  those  units,  compile  a  list  of  proj¬ 
ects  during  the  annual  planning  cycle  and 
support  them  with  good  business  cases  that 
show  estimated  costs,  ROI,  business  benefit 
and  risk  assessment.  The  leadership  team 
vets  those  projects  and  sifts  out  the  ones 
with  questionable  business  value.  At  Eli 
Lilly,  a  senior  business  ownership  council 
comprising  the  information  officer  and  sen¬ 
ior  business  leaders  in  each  business  unit 
takes  on  this  role. 

Next,  a  senior-level  IT  steering  commit¬ 
tee  made  up  of  business  unit  heads,  IT  lead¬ 
ers  and  perhaps  other  senior  executives 
meets  to  review  the  project  proposals;  a 
good  governance  structure  is  central  to  mak¬ 
ing  this  work.  “Portfolio  management 
without  governance  is  an  empty  con¬ 
cept,”  says  Howard  A.  Rubin,  execu¬ 
tive  vice  president  at  Meta  Group. 
Conversely,  putting  portfolio  manage¬ 
ment  in  place  can  force  companies 
with  weak  governance  structures  to 
improve  them.  (For  more  on  gover¬ 
nance,  read  “The  Powers  That  Should 
Be,”  at  www.cio.com/printlinks.) 

One  of  the  core  criteria  for  which 
projects  get  funded  is  how  closely  a 
project  meets  a  company’s  strategic 
objectives  for  the  upcoming  year.  At 
clinical  diagnostics  company  Dade 
Behring,  an  executive  leadership 
team,  which  includes  the  CEO,  cre¬ 
ates  five  strategic  initiatives,  such  as 
CRM  or  organizational  excellence. 
The  IT  governance  council,  made  up 
of  business  leaders  and  senior  IT  leaders, 
then  evaluates  projects  based  on  how  well 
they  map  against  those  initiatives.  “We  also 
try  to  assess  risk  from  a  technology  point 
of  view,  a  change-management  point  of 
view,  the  number  of  people  that  a  project 
will  impact  and  whether  it  will  involve  huge 
reengineering,”  says  Dave  Edelstein,  CIO 
and  senior  vice  president  of  regulatory 
affairs,  quality  systems,  and  health,  safety 
and  environment.  Using  methodology  bor¬ 
rowed  from  the  product  development  group 
(modified  for  IS,  but  keeping  terminology 
that  business  executives  are  familiar  with), 


ools  of  the  Trade 


Jjgpfe 
- 


The  portfolio  management  tool  market  is 

. 

growing.  In  2002,  it  was  about  $85  million;  it 
could  reach  $540  million  by  2005,  according  to 
Meta  Group  estimates.  Here  is  a  list  of  some  of 

the  major  portfolio  management  tool  vendors. 

’  '  .  ' 

ARTEMIS  INTERNATIONAL  www.aisc.com 


BUSINESS  ENGINE  www.businessengine.com 


mm 


ITCENTRIX  www.itcentrix.com 


in 


KINTANA  www.kintana.com 


PACIFIC  EDGE  www.pacificedge.com 


PEOPLESOFT  www.peoplesoft.com  . '  \  ■ 


PROSIGHT  www.  pros  ight.  com 


UMT  www.umt.com 


fSSBm 


62  CIO  MAY  1,  2003  •  www.cio.com 


Sound  made  by  CIO 
when  people  see  data 
they  shouldn't. 


Your  people  need  access  to  information.  You  just  don't  want  to  give  everybody  access  to  everything.  You  need  a  secure  identity  management  process.  Novell  s 
Nsure™  solutions  let  you  control  access  for  all  your  employees  and  business  partners.  Quickly  and  easily.  So  you  can  stop  worrying  about  whos  seeing  what 
and  start  concentrating  on  more  important  things,  like  the  bottom  line.  To  learn  how  Novell's  consultants  and  partners  can  apply  their  expertise  to  help  you 
increase  security  without  decreasing  access,  call  us  at  1-800-214-3500  or  visit  http://www.novell.com/nsure.  ®  we  speak  your  language. 

Novell. 


©2003  Novell,  Inc.  All  rights  reserved.  Novell  is  a  registered  trademark  and  Nsure  is  a  trademark  of  Novell,  Inc.,  in  the  United  States  and  other  countries. 


Cover  Story  |  Portfolio  Management 


I 


projects  are  placed  “above  the  line” — those 
that  should  be  funded — or  “below  the 
line” — those  that  shouldn’t. 

At  DHL  Americas,  a  project  portfolio 
review  board  evaluates  the  one-page  proj¬ 
ect  opportunity  assessment  for  every  pro¬ 
posal.  Membership  on  the  board  includes  IS 
and  12  vice  presidents  from  across  all  areas 
of  the  business.  “Those  vice  presidents  are 
not  the  senior  vice  presidents — they’re  the 
next  level  down,  the  lieutenants,”  Kifer  says. 
“Portfolio  management  doesn’t  work  at  the 
senior  vice  president  level;  they  don’t  have 
time  to  commit  to  portfolio  management.” 

A  good  evaluation  process  can  help  com¬ 
panies  detect  overlapping  project  proposals 


up  front,  cut  off  projects  with  poor  business 
cases  earlier,  and  strengthen  alignment 
between  IS  and  business  execs. 


Prioritize:  Score  and 
Categorize  Your  Projects 

After  evaluating  projects,  most  companies 
will  still  have  more  than  they  can  actually 
fund.  The  beauty  of  portfolio  management 
is  that  ultimately,  the  prioritization  process 
will  allow  you  to  fund  the  projects  that  most 
closely  align  with  your  company’s  strategic 
objectives. 

Ernie  Nielsen,  managing  director  of  enter¬ 
prise  project  management  at  Brigham  Young 
University,  is  a  frequent  lecturer  on  portfo- 
lio  management  and  a  founding 
“SSl  director  of  Stanford  University’s 

|j||j  Advanced  Project  Management 

mm  Program.  He  instituted  an  extremely 

thorough  prioritization  and  scoring 
methodology  at  BYU. 

'  Under  his  plan,  projects  are 

placed  into  portfolios — Nielsen 
thinks  multiple  portfolios  are  a 
good  idea  in  many  companies 
because  they  allow  like  projects  to 
be  pooled  together.  In  his  case,  the 
IT  department  uses  four:  large  tech¬ 
nology  projects  (more  than  $50K), 
small  technology  projects  (less  than 
;  $50K),  infrastructure  technology 

projects,  and  one  covering  executive 
.  i  initiatives.  Think  of  the  first  three 


■■■ 

mmSgL 

i  r&mmm 


Dave  Edelstein,  CIO  aha 
senior  VP  of  regulatory 
affairs  at  Dade  Behring, 
says  that  at  his  company, 
an  executive  leadership 
team  evaluates  projects 
based  on  how  well  they 
map  against  strategic 
business  objectives. 


as  peer  portfolios;  the  executive  one 
is  a  slightly  different  animal.  The 
main  job  of  the  executive  portfolio 
management  team  (each  portfolio 
has  its  own  team)  is  to  distribute 
funds  appropriately  to  the  other 
three.  (There  are  plenty  of  other 
ways  to  categorize  initiatives;  see 
“Powerful  Portfolios,”  Page  58.) 

In  the  case  of  the  large  tech  port¬ 
folio,  its  management  team — made 
up  of  project  sponsors,  function 
managers  (for  example,  representa¬ 
tives  from  engineering,  financial 
services  and  operations,  and  Nielsen 
himself)  and  product  portfolio  man¬ 


agers  (people  with  long-term  project  leader¬ 
ship  responsibilities  in  areas  such  as  student 
services  or  data  management) — vetted  proj¬ 
ects  and  came  up  with  a  list  of  150  for  the 
portfolio  team  to  score.  (Nielsen  uses 
Microsoft  Project  and  Pacific  Edge’s  Project 
Office  to  plan  and  prioritize.) 

They  then  prioritized  them  using  a  model 
that  has  four  key  tenets: 

1.  Identify  four  to  seven  strategies. 
BYU’s  Office  of  Information  Technology 
does  this  yearly  (for  example,  limiting  tech¬ 
nology  risk,  increasing  the  reliability  of  the 
infrastructure). 

2.  Decide  on  one  criterion  per  strategy. 

For  example,  the  team  decided  the  criterion 
for  limiting  technology  risk  would  be 
whether  the  technology  had  been  imple¬ 
mented  in  a  comparable  organization  and 
the  benefits  could  be  translated  to  BYU  easily. 

3.  Weigh  the  criteria. 

4.  Keep  the  scoring  scale  simple.  BYU 
uses  a  scale  of  one  to  five.  For  the  technology 
risk  strategy,  five  might  mean  that  it  has 
been  used  in  a  comparable  organization  and 
the  benefits  could  be  transferred  easily;  three 
could  mean  it’s  hard  to  do  because  it  would 
require  changing  processes;  one  might  mean 
they  haven’t  seen  it  work  anywhere  else. 

Following  the  scoring,  the  team  drew  a 
line  based  on  how  many  projects  it  could 
do  with  existing  resources.  In  the  case  of  the 
large  technology  portfolio,  the  line  was  cal¬ 
culated  where  demand  (the  list  of  projects) 
met  supply  (resources — in  this  case,  the 
cumulative  dollar  value  of  available  appli¬ 
cation  engineers  plus  overhead);  the  line  was 
a  little  less  than  halfway  down  the  list.  Those 
projects  above  the  line  could  be  done  in 
2003.  The  team  then  presented  that  list  to 
the  president’s  council,  which  approved  it 
in  an  hour  and  a  half,  a  process  that  used 
to  take  weeks,  according  to  Nielsen. 

There  is  no  one  method  to  categorize 
your  IT  investment  portfolio.  One  approach 
is  to  categorize  it  as  you  would  your  own 
financial  portfolio,  balancing  riskier,  higher 
reward  strategic  investments  with  safer  cat¬ 
egories,  such  as  infrastructure.  Meta  Group’s 
Rubin  recommends  a  portfolio  divided  into 


64  CIO  MAY  1,  2003  •  www.cio.com 


PHOTO  BY  WILLIAM  BURLINGHAM 


sion  solution, 
t. 


YOUR  EXISTING  TOOLS 


PACKET 

CAPTURE 


STATISTICAL 

ANALYSIS 


.  ACTIVE 

DISCOVERY 


O  OptiView  Console  Viewer  [CEDAR  MESA  (123.222.1W.OOO)  -  Current] 

FJe  view  Agent  Problem  Devra  Tocte  Rostra  Net™*  Mac  hep 

4  -  J 

a  ?d  ti  .  a  *  .  a  .  n  . 

— /  w 

t 

Agent  Pmt 

Overview  J  xa« 

Refresh  Options  Sort  Too*  Reports  NetMac 

Trending  j  Key  Device*  J 

RMON 

8  IP  Subnets 
1  IRXHawgjg 
15  NetBIOS  Dcmans 


175  Total  PevKM 


WebMetfl  outer:  12 


Snfffer,  Roof  0 


Sniffer,  Roof  0 

Cftrix_04  jlukenetwor 

Sniffer,  Roof  9 
Fnef_168  ffukenatve 
Rot*rt_J_TPAD 
W1N57  ACCESS.C5 

•9  SINOA^Roule  fluken 

/  WRTFORD.RoOefluk 

•  1  W1M«33_ACCESS_C6 
!  J  WEB_RT Jlokenetver 

*  Stems 


'Rip  Root  0  Export  -  (Ethernet}  Repeat  ACH 
Trap  Redmond  Branch  Export  -  (Ethem#)  &-oa 
Trap  Root  0  Export  -  (Bhamet}  Route  Rapping 
Oevioe  Domotodto  Backup  Domain  Controller 
Trap  Root  0  Export  •  (Bhemat):  Broveer  Bocbo 
IP  Address  change  from  192  108  55  44  to  192.1 
Only  do  vi  co  In  NETBIOS  do  man  OMCRON 
Kay  device  not  respondng  IP  Ping  tailed 
Korfaco  Utitlrafcon  Excoodod  Error  Threshold 
hterface  Errors  Exooodod  Warning  Threshold 
IP  Service  no  Longer  Soon  on  Dovioo 
SNMP  Roportod  Device  Rebooted 
DupiloMo  IP  Address 


1144  AM  3/15*3 
8:11  AM  3/15*3 
1107  PM  3/144)3 
3  :32  AM  3/15X0 
1047  AM  3/15*3 
6*5  PM 3/14*3 
250  PM  3/15*3 
544  PM  3/14*3 
9  33  PM  3/14433 
1152  AM  3/15*3 
2  22  PM  3/15*3 
404  AM  3/14*3 
959  AM  3/15*3 


PorHrta.D 


3237  Prebteee  - 1  Sewctec 


NETWORKSUPERVISION 


Our  new  OptiView  Network  Analysis  Solution 
integrates  packet  capture,  statistical  analysis 
and  network  discovery  so  you  can  see  your  entire 
enterprise  in  one  amazing  view,  fast.  No  need  to 
open  multiple  applications.  It's  all  right  there  before 
your  eyes,  on  one  console.  It  even  integrates  your 
tools  from  other  vendors  into  a  comprehensive 
solution  of  portable  and  distributed  software  and 
hardware  that  produces  unprecedented  network 
vision.  Tough  to  install  and  use?  Nope.  Flexible  and 
scalable?  Totally.  Buy  only  the  components  you  need 
now  and  add  more  analysis  power  as  your  network 
grows.  To  see  how  your  network  is  performing  at 
warp  speed,  you  really  ought  to  check  this  out. 

It's  Network  Supervision  at  its  finest. 

And  fastest. 

Seeing  is  believing. 

Go  to  www.flukenetworks.com/optiviewsolutions 
to  see  our  new  demo  now. 


c2003  Fluke  Corporation.  All  rights  reserved.  01715 

Other  products  mentioned  herein  are  the  property  of  their  respective  owners. 


Cover  Story  |  Portfolio  Management 


three  investment  categories:  running  (keep¬ 
ing  the  lights  on),  growing  (supporting 
organic  growth)  and  transforming  the  busi¬ 
ness  (finding  new  ways  of  doing  business 
using  technology).  Those  categories  can  then 
be  cross-tabulated  with  four  to  five  value- 
focused  categories,  such  as  how  those  invest¬ 
ments  support  revenue  growth,  reduce  costs 
or  grow  market  share. 

Since  1999,  Eli  Lilly  has  used  Peter  Weill’s 
model  to  categorize  its  IT  investments  (see 
“Powerful  Portfolios,”  Page  58,  for  a  closer 
look  at  the  model  offered  by  Weill,  director 
of  the  Sloan  Center  for  Information  Systems 
Research  and  senior  research  scientist  at 
MIT’s  Sloan  School  of  Management).  Under 
the  Weill  model,  companies  view  their  IT 
portfolios  on  multiple  levels  and 
at  different  stages,  by  visualizing 
their  investments  in  aggregate  and 
placing  them  in  four  categories, 
with  the  percent  of  IT  expendi¬ 
tures  apportioned  across  each. 

“We  tend  to  want  to  have  5  per¬ 
cent  [of  our  projects]  in  strategic 
areas,  15  percent  to  20  percent  in 
the  informational  category,  and 
the  remaining  percentage  split 
between  the  infrastructure  and 
transaction  modules,”  says  Shel¬ 
don  Ort,  Lilly’s  information  offi¬ 
cer  for  business  operations.  He 
says  that  at  the  enterprise  level, 
those  percentages  have  remained 
fairly  consistent.  That  model 
allows  Lilly  to  balance  the  risk  and  reward  of 
its  IT  investments.  (The  average  percentage 
of  annual  IT  spend  of  the  57  companies  in 
Weill’s  2002  survey  breaks  down  as  fol¬ 
lows:  infrastructure,  54  percent;  transac¬ 
tional,  13  percent;  informational,  20  percent; 
strategic,  13  percent.) 

The  payoffs  that  come  from  a  thorough 
evaluation  and  prioritization  process  is  the 
primary  reason  portfolio  management  is  so 
effective.  Lirst,  communication  between  IS 
and  business  leaders  improves.  And  portfolio 
management  gives  business  leaders  a  valuable, 
newfound  skill — the  ability  to  understand 
how  IT  initiatives  impact  their  companies. 


Second,  business  leaders  think  “team,” 
not  “me,”  and  take  responsibility  for  proj¬ 
ects.  One  tried-and-true  method  for  how  a 
business  leader  got  money  for  his  unit’s  proj¬ 
ects  was  to  scream  louder  than  everyone  else. 
Portfolio  management  throws  that  practice 
out  the  corner  office  window;  decisions  are 
made  based  on  the  best  interests  of  the  com¬ 
pany.  At  BYU,  Nielsen  observes  that  after  its 
portfolio  process  was  implemented,  “instead 
of  vice  presidents  fighting  for  their  own  lists 
of  projects,  they  noticed  projects  below  the 
line,  not  in  their  areas.  They  said  to  one 
another,  ‘I  could  provide  some  funds  for  you 
to  get  [your  project]  above  the  line.’” 

Third,  portfolio  management  gives  busi¬ 
ness  leaders  responsibility  for  IT  projects. 


“I’m  no  longer  in  a  position  where  I  have  to 
sell  these  projects  to  the  business,”  says  Dade 
Behring’s  Edelstein.  “If  I’m  doing  a  project 
for  marketing,  it’s  the  marketing  exec  who 
has  to  sell  the  project  to  the  rest  of  the 
team.”  Merrill  Lynch’s  Balliet  says,  “When 
we  started,  the  technology  people  were  pro¬ 
posing  the  projects.  Now  the  businesspeople 
propose  the  projects  and  [take  responsibil¬ 
ity]  for  risk  profiling,  ongoing  operational 
costs  and  timeliness  of  delivery.” 

Linally,  everybody  knows  where  the  dol¬ 
lars  are  flowing  and  why,  which  is  especially 
important  to  CEOs  and  CEOs  who  are  in¬ 
creasingly  demanding  that  technology 


Why  so  many  companies  fail  to  gain 
control  of  project  portfolios 


89°/ 


%  of  companies  are  flying  blind, 
with  virtually  no  metrics  in  place  except 
for  finance. 


84%  of  companies  either  do  not  do 

^  business  cases  for  any  of  their  IT 
projects  or  do  them  only  on  select, 
key  projects. 


84%  of  companies  are  unable  to 
C  and  align  their  budgets  with  business 
needs  more  than  once  or  twice  a  year. 

SOURCE:  "THE  BUSINESS  OF  l.t.  PORTFOLIO  MANAGEMENT: 
BALANCING  RISK.  INNOVATION  AND  R0l.“  A  META  GROUP 
WHITE  PAPER.  JANUARY  2002 


investments  deliver  value  and  support 
strategic  objectives. 

Review:  Actively  Manage 
Your  Portfolio 

A  top-notch  evaluation  and  prioritization 
process  is  emasculated  rather  quickly  if  the 
portfolio  is  not  actively  managed  following 
approval  of  the  project  list.  Doing  that 
involves  monitoring  projects  at  frequent 
intervals,  at  least  quarterly.  At  Blue  Cross 
and  Blue  Shield  of  Massachusetts,  a  project 
management  office,  which  reports  directly  to 
Senior  Vice  President  and  CIO  Carl  Ascenzo, 
has  that  responsibility.  Once  or  twice  a 
month,  the  project  management  office  gets 
financial  and  work  progress  perspective 
updates  from  project  leaders.  That  informa¬ 
tion  goes  into  a  database,  and  Ascenzo 
reports  to  the  entire  company  monthly,  giv¬ 
ing  the  project  inventory  and  its  status.  He 
assigns  project  status — green  (good),  yellow 
(caution)  or  red  (help!) — and  includes  an 
explanation  of  the  key  driver  causing  a  yel¬ 
low  or  red  condition.  The  IT  steering  com¬ 
mittee  meets  once  a  month  to  make  decisions 
to  continue  or  stop  initiatives,  assess  fund¬ 
ing  levels  and  resolve  resource  issues. 

At  CKE  Restaurants,  the  IT  steering 
committee  meets  monthly  to  review  at 
least  three  of  the  initiatives  under  way.  “In 
my  opinion,  quarterly  is  too  long,”  says 
Chasney.  CKE,  under  the  Carl’s  Jr., 
Hardee’s  and  La  Salsa  Fresh  Mexican  Grill 
brand  names,  operates  approximately 
3,300  restaurants  worldwide.  Frequent 
reviews  allow  Chasney  to  redirect  re¬ 
sources  more  quickly. 

Monitoring  project  portfolios  regularly 
also  means  projects  that  have  run  off  the 
rails  can  be  killed  more  easily.  “People  have 
an  aversion  to  stopping  projects,  but  the 
majority  of  projects  I  cancel  are  done 
because  there’s  a  change  in  company  strat¬ 
egy — a  change  in  priority  or  direction,”  says 
Chasney.  For  example,  if  there’s  a  strategy 
decision  to  focus  on  SAP,  then  it  makes  sense 
to  cancel  a  new  system  that  interfaces  with 
PeopleSoft,  he  says.  Chasney  states  another 
simple  but  powerful  principle  that  eludes 


66  CIO  MAY  1,  2003  •  www.cio.com 


Introducing  the  AMD  Opteron™  processor,  64-bit  computing  for  today’s  32-bit  world. 

It’s  the  only  processor  that  is  designed  to  run  your  32-  and  64-bit  applications  simultaneously  and  without  compromise, 
AMD  Opteron  runs  on  AMD64-a  breakthrough  architecture  that  enables  64-bit  technology  on  the  x86  platform- 
creating  a  new  class  of  computing  so  you  can  migrate  to  64-bit  technology  on  your  own  terms. 


The  world’s  highest  performing  2P  and  4P  servers  are  now  powered 
by  AMD  Opteron  processors.  Receive  the  performance  and  security  benefits  of 
64-bit  computing,  while  getting  the  best  32-bit  performance  available  anywhere. 


AMDCI^ 

Opterorr 


Leverage  your  existing  investments  while  preparing  for  the  future.  One  architecture 
across  one  enterprise  means  you  won’t  have  to  rip  and  replace  your  entire  infrastructure  when  you  transition 
to  64-bit  computing.  It’s  just  another  way  AMD  designs  and  builds  processors  with  you  in  mind.  For  a  closer 
look  at  the  financial  and  performance  advantages  of  the  AMD  Opteron  processor,  visit  www.amd.com/opteron 


Cover  Story  |  Portfolio  Management 

many  companies:  “You  can’t  complete  proj¬ 
ects  just  because  you  started  them.” 

Hurdles  to  Portfolio 
Management 

Yes,  portfolio  management  is  a  good  thing. 
But  getting  to  nirvana  requires  a  serious 
commitment  from  both  the  business  and  IS 
sides,  as  well  as  a  whole  lot  of  sweat  equity. 
Here  are  some  of  the  pitfalls  and  ways  to 
overcome  them. 

■  Democracy  ain’t  easy.  Taking  power 
away  from  business  leaders  accustomed  to 
calling  the  shots  will  not  always  go  smoothly. 

“Business  leaders  who  didn’t  have  deci¬ 
sions  scrutinized  previously  now  are  [hav¬ 
ing]  decisions  decided  by  group  consensus,” 
says  DHL’s  Kifer.  But  Kifer  says  that  quickly 
“people  realize  it  does  work  and  that  12 
people  can  make  better  decisions  than  one 
or  two  making  unilateral  decisions.” 

■  There’s  no  single  software  that  does 
everything.  “There  are  really  good  budget 
packages,  resource  management  packages 
and  fairly  good  portfolio  management 
packages,  but  no  package  that  ties  it  all 
together,”  says  Gordon  Steele,  CIO  and 
vice  president  of  IT  at  Nike,  who  is  in  the 
process  of  implementing  portfolio  manage¬ 
ment.  (See  “Tools  of  the  Trade,”  Page  62, 
for  a  list  of  some  leading  portfolio  manage¬ 
ment  vendors.)  Steele  is  currently  explor¬ 
ing  a  partnership  with  a  portfolio  manage¬ 
ment  vendor  to  see  if  such  a  software  tool 
can  be  developed. 

Do  you  need  to  buy  portfolio  software? 
There’s  no  right  answer.  Some  say  it’s  a 
necessity.  “It’s  a  better  investment  now  to 
buy  rather  than  build,”  says  Meta  Group’s 
Rubin.  Gopal  Kapur,  founder  and  president 


cio.com  What's  your  take  on 

PORTFOLIO  MANAGEMENT?  How  do  your 
colleagues’  experiences  compare  with  your 
own?  That's  the  focus  from  May  1  to  15  of 
the  CIO  Best  Practice  Exchange,  CIO's 
members-only  online  forum  for  IT  execu¬ 
tives.  To  join  them,  visit  exchange.cio.com. 
(For  qualified  IT  executives  only.  New 
members  must  apply.) 


of  the  Center  for  Project  Management,  begs 
to  differ.  “Far  too  often  people  get  the  soft¬ 
ware  and  say  they  have  portfolio  manage¬ 
ment.  But  they  don’t — they  don’t  have  the 
foundation  for  portfolio  management,”  he 
says.  Microsoft  Excel  and  Project  are  com¬ 
monly  used  by  companies  to  track  and 
manage  projects;  some  companies  build 
their  own  tools. 

■  Getting  good  information  isn’t  easy. 

Take,  for  example,  the  transparency  of  your 
cost  structure.  “You  need  good  information 
around  all  technology  costs  and  invest¬ 
ments,”  says  Merrill  Lynch’s  Balliet.  In  1999 
and  2000,  he  and  his  team  looked  hard  at 
all  the  IT  dollars  and  categorized  them  into 
service  “buckets,”  then  put  them  in  charge- 
back  buckets  related  to  those  activities.  For 
example,  Balliet  says  that  they  created  a 
phone  monitoring  tool  and  told  some  units, 
“You  pay  for  the  calls  you  make.” 

In  addition,  you  must  update  the  data¬ 
base  regularly.  “You  need  to  have  the  con¬ 
stant  status  of  each  project  so  you  can  react 
quickly  to  market  changes,”  says  Balliet. 

■  It’s  still  hard  to  make  tough  decisions 
on  whether  to  undertake— or  cancel- 


projects.  Kifer,  no  slouch  at  portfolio  man¬ 
agement,  says  DHL  Americas  currently  has 
20  percent  more  projects  in  its  portfolio  than 
it  can  support.  “We  won’t  probably  start 
half  of  those,”  he  says.  “[But]  an  organiza¬ 
tion  has  a  tendency  to  say,  You’ll  figure  out  a 
way  to  make  those  work.” 

■  It’s  an  additional  time  constraint  on 
busy  executives.  Good  portfolio  manage¬ 
ment  means  good  IT  governance  means  reg¬ 
ular  IT  governance  committee  meetings. 
“Just  about  every  company  today  has  its 
people  stretched,”  says  Chasney.  As  noted 
earlier  in  the  story,  that  concern  is  addressed 
at  DHL  Americas,  where  the  lieutenants  of 
time-constrained  senior  vice  presidents  serve 
on  the  project  portfolio  review  board. 

In  the  grand  scheme,  however,  the  chal¬ 
lenges  of  implementing  portfolio  manage¬ 
ment  pale  in  comparison  to  the  value  it 
brings  to  your  IT  investments.  “It  forces  IT 
and  businesspeople  to  talk  about  investments 
from  a  business  perspective,”  says  Weill. 
“That’s  its  most  powerful  feature.”  HE! 


Tell  Senior  Editor  Todd  Datz  about  your  portfolio 
management  process  at  tdatz@cio.com. 


68  CIO  MAY  1,  2003  •  www.cio.com 


PHOTO  BY  JAY  BLAKESBURG 


DON'T  MAKE  ME  TELL  YOU  AGAIN  - 

ONLINE  MEETINGS  FROM  WEBEX. 

They’re  efficient,  effortless,  and  germ-free! 


webex 

THE  NEW  RINGY  DINGY™ 


Online  meetings  from  WebEx  let  you  cut  travel  costs,  boost  sales  and  massively  increase 
productivity  across  the  enterprise.  Join  hundreds  of  Fortune  1000  companies  who  use 
WebEx  to  get  an  edge  on  the  competition.  Demo  online  meetings  from  WebEx 
at  webex.com/ringydingy 


ERNESTINE  TOMLIN 

Global  Communications  Visionary 


UNISYS 


PRESENTS 


THE 


EXPERT 


Dr.  Tim  Grieser  is  responsible  for  performance  and  availability 
management  software  research  in  IDC’s  Enterprise  Systems 
Management  Software  program.  His  coverage  includes  service 
level  management  for  systems  and  applications  across  a  wide 
variety  of  platforms. 


A  few  minutes  with  Tim  Grieser, 

VP,  Enterprise  System  Management  Software  Program, 
International  Data  Corp.  (IDC) 


Fight  Data  Center  Complexity  with  Self-Managing  Servers 


>  We  now  hear  the  terms  “self-managing,” 
“self-healing,”  “self-protecting,”  “self-optimizing,” 
“self-configuring,”  “policy-based,”  “holistic,” 
“introspective,”  “autonomic”  and  “smart” 
computing  for  systems  management  software  — 
what  does  this  all  mean? 

All  of  these  terms  refer  to  putting  more  system  manage¬ 
ment  intelligence  into  software  tools,  so  that  problem 
detection,  diagnosis  and  response  can  be  performed 
automatically  in  an  increasing  number  of  cases. 

>  Just  how  real  and  proven  are  the  lofty  claims  of 
vendors  about  self-managing  IT  infrastructures? 

Quite  real.  Some  aspects  of  self-management  have  been 
successfully  implemented  in  production  environments 
for  a  number  of  years.  For  example,  scripted  respons¬ 
es  (such  as  re-booting  a  server)  to  fix  common  prob¬ 
lems  (such  as  running  out  of  available  memory  space) 
are  commonly  deployed.  Techniques  such  as  event 
correlation  are  used  to  help  determine  which  of  sever¬ 
al  events  is  most  likely  to  be  the  fundamental  or  “root 
cause”  of  a  problem. 

>  Why  is  this  all  so  important  and  what  are  the 
most  significant  benefits  to  the  enterprise? 

What  is  really  important  in  today’s  complex,  distributed 
environments  is  to  simplify  the  job  of  system  manage¬ 
ment.  With  increasing  platform  complexity,  and  con¬ 
straints  on  IT  budgets,  IT  professionals  such  as  system 
administrators  are  being  asked  to  manage  more  and 
more  infrastructure  elements,  such  as  servers,  in  less 
time.  Indeed,  “doing  more  with  less”  is  a  common  job 
requirement  for  system  administrators  these  days. 
Intelligent  system  management  software  can  simplify  the 
job  of  administrators  by  automating  responses  to  known 
types  of  problems,  thus  reducing  the  number  of  situa¬ 
tions  that  require  manual  intervention  by  the  IT  expert. 
Benefits  to  IT  include  cost  savings,  the  ability  to  “scale” 
to  manage  ever  increasing  numbers  of  servers  and  serv¬ 
er  images,  and  improved  service  levels  such  as  system 
performance  and  availability. 


>  How  does  an  enterprise  implement  these 
capabilities  across  dissimilar  platforms,  and  are 
standards  important? 

Typically,  there  will  be  platform-specific  management 
components  (such  as  monitoring  agents  for  Windows  and 
Unix  servers)  linked  to  common  management  compo¬ 
nents  such  as  “consoles.”  The  common  management 
components  often  deal  with  automatic  responses  to 
events,  and  also  work  with  higher  level  constructs,  such 
as  applications  and  end-user  views.  Standards  are  useful  in 
that  they  can  enable  easier  data  gathering,  such  as  moni¬ 
toring,  across  platforms.  Also,  system  management  tools 
often  use  standards  to  communicate  information  from 
basic  monitors  to  higher-level  management  consoles. 


What  is  really  important 

in  today’s  complex,  distributed 
environments  is  to  simplify  the 

job  of  system  management.” 

>  What  can  we  expect  from  this  technology 
three  years  from  now? 

The  direction  is  clearly  toward  higher  levels  of  auto¬ 
mated  responses,  not  only  to  fix  operational  interrupts 
or  breakages,  but  also  to  address  dynamic  management 
of  resources  (such  as  dynamic  load  balancing  and  provi¬ 
sioning  servers  as  needed)  in  order  to  achieve  desired 
service  levels.  More  and  more,  the  objective  is  to 
reduce  manual  intervention  to  diagnose  and  fix  prob¬ 
lems,  so  that  higher  levels  of  scalability,  performance 
and  availability  can  be  achieved. 

For  more  information,  please  call  800-874-8647  x385 
or  visit  www.unisys.com/datacenter/sentinel 

UNISYS 

Imagine  it.  Done. 


managing  its  servers 
would  never  be  simple 


Server  Technology 


Imagine  it: 

Fighting  complexity.  Scaling  up  with  simplicity. 
The  IT  team  at  La-Z-Boy  Incorporated  experi¬ 
enced  an  explosion  of  servers  and  applications 
One  Unisys  ES7000  enterprise  server  simplified 
management  to  a  standardized  platform;  and 
offered  flexible  partitioning  to  adjust  to 
changing  needs.  .  :  j 


Done:  i 

'  '  '  !  I 

Today  the  Unisys  ES7000  family  of  enterprise 
servers  comes  with  true  seJf-managing,  self-  , 
healing  systems  to  harness  the  massive 
power  of  up  to  32  Intel®  Xeon™  processors. 

It  can  also  help  simplify  your  operations 
through  standardization  on  Microsoft 
Windows®  2000  Datacenter  Server.  One  more 
detail:  the  cost  of  the  ES7000  is  as  low  as  1/3 
the  cost  of  comparable  UNIX  systems. 


Server  Technology  with  precision  thinking, 
relentless  execution  to  drive  your  vision  forward 


Imagine  it.  Done. 

unisys.com  800. 874.8647  x370 


XEON 


■ 

■  '  " 

.■  ■  .  ■  . 

t:J  '  it  '  fl  •  !* 


IT  Staffing 


Staff  Alert 

With  outsourcing  on  the  rise,  CIOs  are  at  the  center  of 
a  morale  crisis.  They  can  see  many  of  their  workers  battling 
stress  on  the  job.  The  best  leaders  learn  to  help  employees 
now — and  keep  them  in  the  future,  by  Stephanie  overby 


ianah  Neff’s  staff  was  sick  a  lot  last  winter.  But  the  CIO  of  the  city  of  Philadel¬ 
phia  was  worried  that  it  wasn’t  just  the  record  cold  and  snow  that  had  her 
employees  under  the  weather.  With  the  city  facing  its  worst  fiscal  crisis  since 
1991,  Neff  had  been  forced  to  cut  10  percent  of  her  staff  through  an  early 
retirement  program.  She  started  cross-training  the  remaining  535  to  deal 
with  increasing  demands  being  placed  on  IT.  Meanwhile,  as  each  new 
project  request  came  in,  Neff  was  openly  looking  at  whether  outsourc¬ 
ing  some  work  might  be  more  cost-effective — another  anxiety  source 
for  her  already  stressed  staff. 

“People  have  become  anxious.  We’re  watching  to  see  if  we’re  getting 
increases  in  sick  leave  or  if  other  issues  are  occurring.  People  deal  with  the 
stress  of  layoffs  and  increased  workloads  in  different  ways,”  Neff  says.  “The 


staff  is  realistic.  They  know  it’s  a  tough 
job  market.  I  don’t  know  that  you  can 
ever  really  reassure  people  in  these  situations.” 
Neff  expresses  a  pervasive  feeling:  75  percent 
of  290  IT  executives  in  a  recent  CIO  survey  said  their  top 
staffing  concerns  in  2003  are  their  employees’  demanding 
workloads  and  staff  burnout.  At  the  same  time,  more  CIOs 
are  looking  outside  their  company  walls  to  fill  their  labor 
needs — 37  percent  plan  to  increase  the  use  of  outside  sourcing 
options,  such  as  contractors  and  outsourcers,  to  meet  work 
goals  in  the  next  year,  according  to  the  survey. 


Reader  ROI 

►  Why  CIOs  need  to  worry 
about  workers  even  in  a 
buyer's  labor  market 

►  How  outsourcing  threatens 
your  IT  workers 

►  Eleven  tips  to  work 
effectively  with  staff  under 
stress  in  tough  times 


7  2 


CIO  MAY  1,  2003  •  www.cio.com 


Dianah  Neff,  CIO  of  the  city  of  Philadelphia  (center),  is  working  to  communicate  more 
with  her  staff  about  efforts  to  do  more  with  less.  Neff  sits  among  staff  members,  from 
left  to  right:  Deputy  CIO  Michael  Dean;  Malayna  Perloff,  communications  program 
manager;  IS  Administrator  Jacqueline  Henry;  Neff;  IT  Director  Viviant  Jones;  and 
Patricia  Shaw,  administrative  assistant. 


IT  Staffing 


Add  to  this  fiscal  funk  such  nonwork 
stressors  as  homeland  security  alert  levels 
and  the  war  with  Iraq,  and  it’s  like  the  per¬ 
fect  storm  for  the  IT  staff.  CIOs  who  think 
there’s  no  real  threat  of  turnover  in  tough  IT 
times  and  put  off  dealing  with  the  situation 
may  be  in  for  a  rude  awakening  even 
sooner  than  the  highly  anticipated  economic 


turnaround.  “Your  best  workers  will  leave 
and  go  somewhere  else,  and  you’ll  be  left 
with  heavier  workloads  and  fewer  top  per¬ 
formers,”  warns  Diane  Morello,  a  Gartner 
analyst.  “We’re  already  seeing  the  start  of  a 
workforce  backlash.  There’s  a  subtle  pulling 
back  on  the  part  of  employees  who  are  say¬ 
ing,  If  you’re  not  going  to  help  me  put  the 
brakes  on  [the  workload],  I’m  going  to  do 
it  myself.” 


Instead  of  waiting  to  see  productivity  slip, 
CIOs  must  to  do  everything  they  can  now  to 
prevent  employee  burnout,  stress  and  doubt. 
(See  below,  “Eleven  Simple  Rules  for  the 
Care  and  Feeding  of  Your  IT  Staff.”  And 
for  one  CIO’s  tale  of  coping,  see  “How  to 
Pass  the  Stress  Test,”  Page  50.)  Read  on  to 
share  the  experiences  of  CIOs  who  have 


learned  the  importance  of  adjusting  office 
conditions — from  establishing  project  man¬ 
agement  controls  and  making  staff  work¬ 
loads  more  reasonable  to  recognizing  top 
workers. 

A  Familiar  Feeling 

High  stress  and  heavy  workloads  are  noth¬ 
ing  new  to  IT;  night  and  weekend  work  has 
been  the  norm  for  years.  “It’s  an  occupa¬ 


tional  hazard,”  says  Rick  Skinner,  CIO  of 
the  Oregon  division  of  $3.3  billion  Provi¬ 
dence  Health  System.  “IT  staffs  are  respon¬ 
sible  not  only  for  keeping  current  systems 
and  infrastructure  running,  but  they’re  also 
responsible  for  a  whole  host  of  new  proj¬ 
ects.  Some  are  planned,  budgeted  and  sched¬ 
uled,  and  some  come  out  of  left  field  with 
no  budget,  no  schedule  and  only  a  fuzzy 
idea  of  the  deliverables.  That  kind  of  envi¬ 
ronment  is  by  nature  high  stress.” 

But  if  70-hour  workweeks  somehow 
became  the  norm  in  the  best  of  times,  the 
hours  being  clocked  by  IT  workers  today — 
with  budgets  stretched  and  expectations  on 
the  rise — are  potentially  unbearable.  “Like 
every  other  IS  organization  out  there,  we’re 
suffering  from  an  incredible  amount  of 
demand.  CEOs  and  CFOs  want  additional 
services,  but  they  want  it  done  for  less,”  says 
Bruce  Reirden,  vice  president  and  CIO  of 
the  Care  New  England  group  of  hospitals. 
“So  ultimately  as  CIOs,  we’re  requesting 
people  to  work  more  just  to  get  the  jobs  out 
the  door.  I  couldn’t  even  tell  you  what  the 
average  workweek  is  like  here.  Some  weeks 
it’s  higher,  some  weeks  lower.  But  it’s  always 
in  excess  of  what  people  are  scheduled  for.” 


46  percent  of  IT  executives  laid  off  staff  in  the  last 
half  of  2002.  New  hiring  is  spotty:  30  percent  are 
looking  for  workers.  Others  will  wait  until  later  in  2003 
(32  percent)  or  2004  (another  32  percent). 


Eleven 
Simple  Rules 
for  the  Care 
and  Feeding 
of  Your  IT 
Staff 

Techniques  for  doing  more 
with  less  while  keeping  staff 
motivated 


cTI  Open  Up.  The  key  to  helping 
employees  deal  with  their  worries— 
from  layoffs  to  an  outsourcing  deal  to 
a  hellish  project— is  communication. 
"Employees  are  thinking,  I’m  a  grown-up. 
Just  tell  me  what’s  going  on,”  says 
Linda  Pittenger,  CEO  of  Peoples,  a  Gartner 
company.  “The  great  CIOs  are  very  up  front, 
and  they  keep  the  best  people.” 

Be  a  good  buffer.  Don’t  take  on 
more  work  than  your  staff  can  handle. 

]  Instead,  explain  the  resources  you  have 
to  business  executives  and  invite  them  to 
help  narrow  priorities.  If  they  have  trouble 
understanding  why  IT  can’t  do  more,  explain 
it  differently.  “Other  operating  departments 
are  in  the  same  boat,”  says  George  Brenckle, 
CIO  of  the  University  of  Pennsylvania  Health 
System.  “The  radiology  department  isn’t 
going  to  be  able  to  do  more  exams  while  it’s 


decreasing  its  staff.  And  as  long  as  they’re 
clear  on  what  it  is  you’re  delivering,  they 
understand.” 

Put  project  management 
controls  in  place.  “There 
are  always  going  to  be  busy  times,” 
says  Steven  W.  Agnoli,  CIO  of  law  firm 
Kirkpatrick  &  Lockhart  in  Pittsburgh. 

“But  even  when  there’s  more  work  to  be 
done,  having  a  very  sequenced,  systematic 
process  to  go  through  makes  it  less 
stressful.” 

Increase  employee 
.  accountability.  Giving  individu- 
u  als  more  control  over  day-to-day 
decisions  actually  alleviates  their  anxiety. 
"They  want  to  be  in  control  of  their  own 
destiny,"  says  Rick  Skinner,  CIO  of  Provi¬ 
dence  Health  System’s  Oregon  division. 


74  CIO  MAY  1,  2003  •  www.cio.com 


Linda  Pittenger,  CEO  of  People3,  Gart¬ 
ner’s  HR  consulting  group,  says  that  over¬ 
burdening  staffs  is  risky.  “It  can  mean  costs 
related  to  absenteeism  and  productivity 
decreases  because  people  are  depressed,  or  it 
can  increase  productivity  but  also  increase 
the  risk  of  burnout  because  people  are  work¬ 
ing  harder  to  keep  their  jobs,”  she  explains. 

Another  downside  to  the  current  IT 
staffing  environment  is  a  decrease  in  innova¬ 
tion  and  a  focus  on  the  individual  rather  than 
the  team.  “In  times  like  these  people  become 
risk  averse.  They  don’t  want  to  share  new 
ideas  because  there’s  no  money  in  it,”  Pit¬ 
tenger  says.  “And  what  if  the  idea  is  bad?  Do 
I  want  to  be  the  guy  who  raises  his  hand  and 
says  we  should  do  this,  and  then  it  fails?” 

Some  CIOs  insert  research  opportunities, 
even  modest  ones,  into  their  staff  schedules  as 
a  way  of  developing  staff  skills — and  relieving 
some  of  the  workaday  pressure.  At  Electronic 
Arts,  a  $1.7  billion  computer  game  maker, 
CIO  Marc  West  insists  his  employees  partic¬ 
ipate  in  niche  R&D  teams  looking  at  where 
the  business  might  be  headed.  “We  run  a 
pretty  intense  environment,”  he  says.  “But 
we  ask  employees  to  dedicate  these  very,  very 
narrow  time  slices  to  R&D.  They  give  up  an 


hour  a  week,  but  it  gives  them  something 
positive  to  engage  in.  As  a  result,  they  find 
more  time  for  other  things  and  are  better  able 
to  prioritize  the  work  at  hand.”  West  admits 
the  R&D  time  can  get  sacrificed.  About  15 
percent  of  the  time  (when  things  are  really 
crazy),  the  teams  meet  for  an  hour  every  two 
weeks.  And  he  will  extend  the  time  lines  for 
ongoing  R&D  projects. 

Prioritization  Is 
a  Virtue 

One  thing  has  become  clear  as  employees  and 
other  resources  have  become  stretched  paper 
thin:  the  importance  of  prioritization  and 
project  management  skills.  And  that  has  to 
start  at  the  top  with  the  CIO.  Otherwise  the 
caliber  of  work  coming  out  of  the  IT  shop  is 
destined  to  decline.  “IT  is  the  most  project- 
oriented  area  of  the  business,  but  corporate 
IT  still  doesn’t  seem  to  be  able  to  get  project 
management  down  to  a  strong  discipline,” 
says  Tom  Pohlman,  a  Forrester  Research  ana¬ 
lyst.  “But  if  you  completely  overburden  your 
staff  and  don’t  have  good  PM  skills,  the  qual¬ 
ity  of  work  is  going  to  suffer.” 

Darren  Bien,  CIO  and  COO  of  Keller 
Williams  Realty  International,  found  that  out 


Stress  Source 

Forty-six  percent  of  290  IT  executives 
surveyed  said  their  use  of  outsourcers 
and  contractors  is  permanent.  See  survey 
results  at  www2.cio.com/research. 


In  2003,  CIOs  plan  to  increase  their 
use  of  outside  sourcing  options  in  the 
following  areas: 


Contractors  and 
contingent  staff 


47% 


Offshore 

outsourcing 


18% 


Onshore 

outsourcing 


16% 


Part-time 

staff 

Interns 


16% 

13% 


SOURCE:  290 1.T.  EXECUTIVES  AND  OTHER  IT.  PROFESSIONALS 
RESPONDED  TO  CIO'S  SURVEY  ON  I.T.  STAFFING.  ADMINISTERED 
ONLINE  DURING  JANUARY 


CIO  RESEARCH 


in  2001  when  20  major  initiatives  were  in 
the  IT  pipeline  and  not  one  was  imple¬ 
mented.  Even  in  industries  that  are  doing 
well  (Keller  Williams’  revenue  grew  40  per¬ 
cent  to  $530  million  in  2002  thanks  to  low- 
interest  rates),  the  danger  is  still  there. 
“We’ve  had  to  drive  a  much  more  process- 
oriented  focus  on  project  management,”  says 
Bien,  who  had  25  employees  trying  to  com¬ 
plete  those  20  projects.  “Steering  committee 


Identify  individuals  at  risk. 

Overwrought  employees  may  be  hesi¬ 
tant  to  complain,  so  seek  them  out.  “If 
someone's  working  on  a  40-hour  project 
that’s  now  40  hours  overdue,  I  will  assign  an 
additional  resource  to  the  project  temporar¬ 
ily  and  reschedule  the  delivery  date  to 
alleviate  the  problem,"  says  Bruce  Reirden, 
CIO  at  Care  New  England. 

SCut  the  dead  weight.  Consider 
weeding  out  the  bottom  10  percent  of 
employees.  “We  have  redoubled  our 
efforts  to  manage  poor  performers  out  of  the 
business,”  says  William  H.  Miller,  vice  presi¬ 
dent  of  information  services  at  Harris  Corp., 
a  $1.9  billion  communications  equipment 
maker.  “It’s  not  fair  to  the  rest  of  the  work¬ 
force  who  are  busting  their  humps  in  tough 
times  to  have  these  poor  performers  by  their 
side  not  carryingtheir  weight.” 


Walk  a  mile  in  your  staffers’ 

shoes.  “Now  more  than  ever,  I’ve 
found  that  I  have  to  get  down  into  the 
trenches  and  spend  more  time  in  my  staff’s 
workplace  to  make  sure  I’m  aware  of  the 
pressures  they’re  under  and  to  show  my  sup¬ 
port,"  says  Kevin  Molloy,  CIO  of  Vancouver 
International  Airport. 

LqA  Offer  creative  outlets.  Giving 

/A~sN  employees  just  a  little  time  each  week 
vdd-r  to  devote  to  strategic,  forward-thinking 
work  rather  than  the  immediate  task  at  hand 
can  go  a  long  way  toward  staving  off  burnout. 

SGet  more  bang  for  your 
training  buck.  While  you  can  t 
offer  big  bonuses  to  reward  your  staff, 
you  can  offer  them  free  exposure  to  new 
skills— and  often  without  a  big  budget. 
Explore  alternative  training  options.  Reirden 


applied  for  a  state-sponsored  technology 
training  grant,  while  Agnoli  insists  on  cutting- 
edge  training  from  his  major  vendors. 

Alert  employees  that 
outsourcing  does  present 
opportunities.  Show  employ¬ 
ees  that  the  increased  use  of  outsourcing  or 
contract  workers  isn’t  just  an  excuse  for  lay¬ 
offs.  Show  them  the  more  strategic  skills  they 
can  acquire  in  the  new  situation,  such  as 
business  process  management  and  systems 
analysis. 


cT|  cT1 


Lid 


Don’t  forget  the 
recognition.  Making  time  to 
] celebrate  employees’  successes 


is  critical,  whether  it’s  a  mention  in  a  com¬ 
pany  newsletter  or  just  a  pat  on  the  back  in 
the  elevator.  And  money  (if  you’ve  got  it) 
doesn’t  hurt  either.  -S.0. 


www.cio.com  •  MAY  1,  2003  CIO  75 


IT  Staffing 


processes  and  prioritization  put  in  place  last 
year  allow  us  to  focus  on  what’s  important.” 

Providence’s  Skinner  says  he  has  to  ensure 
that  the  projects  his  300  employees  are  work¬ 
ing  on  aren’t  ones  more  suited  for  a  staff  of 
1,000.  “I  have  to  make  sure  that  the  things 
they’re  being  asked  to  do  are  reasonable  not 
only  in  terms  of  business  value  but  also  in 
terms  of  the  resources  we  have,”  says  Skinner, 
who’s  been  dealing  with  declining  margins  in 
health  care  for  nearly  a  decade.  “I’ve  found 
myself  changing  from  a  cheerleader  trying  to 
sell  technology  to  the  business  to  the  gate¬ 
keeper  tying  to  ensure  that  we  make  only 
those  investments  that  increase  business  value 
and  can  actually  be  accomplished.” 

An  effectual  PM  office  helps  to  keep  man¬ 
hours  in  check.  “We  know  roughly  what 
resources  it  will  take  to  maintain  our  sys¬ 
tems  and  also  know  how  much  is  left  over 
for  project  work.  What  we  don’t  know  is 
which  resource  will  be  required  on  what 
project  when  and  whether  that  might  con¬ 
flict  with  some  other  project,”  Skinner  says. 
“The  project  management  office  attempts  to 
coordinate  all  the  work.” 

But  the  process  requires  continuous 
tweaking.  “It’s  impossible  to  forecast  how 
many  DBA  hours  we’re  going  to  need  on  a 
given  project,  much  less  all  our  projects  six 


months  from  now,”  he  says,  adding  that  the 
project  management  office  makes  weekly 
adjustments. 

In  addition,  Skinner  gives  his  employees 
more  accountability.  More  responsibility  to 
relieve  stress?  Sounds  counterintuitive,  but  giv¬ 
ing  workers  some  control  can  go  a  long  way. 
This  year,  for  example,  four  employee  action 
groups  reviewed  the  annual  employee  satis¬ 
faction  survey  results  and  determined  what 
direction  to  take — a  process  previously  han¬ 
dled  by  Skinner’s  management  team.  The 


groups  came  up  with  creative  recommenda¬ 
tions  with  real  business  value  that  will  be 
more  widely  accepted  than  if  they  were 
handed  down  from  the  top,  Skinner  says.  One 
result:  after  employees  pointed  out  that  a  40- 
hour  continuing  education  requirement  did 
not  ensure  workers  got  the  right  kind  of  train¬ 
ing,  Providence  managers  will  set  training  pri¬ 
orities  and  find  ways  to  gain  that  expertise. 

“Give  people  clear  goals,  resources  to 
achieve  them  and  the  ability  to  make  the  day- 
to-day  decisions.  Even  though  they’ll  work 
harder,  it’s  more  enjoyable  for  them.  That 
helps  alleviate  some  stress,”  Skinner  says. 

Even  with  the  best  processes  in  place,  IT 
employees  still  have  to  work  harder  these 
days.  But  CIOs  can  help  alleviate  the  stress 
by  simple  communication — providing  a  light 
at  the  end  of  the  tunnel  for  their  staffs  even 
if  they  don’t  necessarily  see  one  themselves. 
“Most  people  can  tolerate  a  certain  degree 
of  high  intensity  work  if  they  see  relief  in 
the  future — six,  nine,  even  10  months  down 
the  road,”  Gartner’s  Morello  says,  and  lead¬ 
ers  need  to  describe  this  road. 

Cecil  O.  Smith,  senior  vice  president  and 
CIO  of  $59.5  billion  Duke  Energy,  spends  sig¬ 
nificant  time  these  days  reassuring  his  troops. 
“If  there’s  ever  a  time  to  be  seen  and  be  visible, 
it  is  now,”  Smith  says.  “With  all  the  concern 


about  job  security,  the  economy,  a  wap  and 
what  we’ve  been  through  in  rightsizing  the 
company,  the  staff  has  got  to  be  wondering, 
Will  we  be  working  here  next  week?  or  Will 
we  be  working  on  creative  stuff?  I  say,  This  is 
one  where  we  all  have  to  help  each  other.  We 
will  be  OK.  We’ll  come  out  of  this.  You  have 
to  help  carry  that  message  yourself.” 

Acknowledge  the 
Outsourcing  Threat 

Many  CIOs  are  also  looking  to  outside 


sources  of  help  in  meeting  IT  demands — 
either  for  cost,  skills,  strategy  or  a  combina¬ 
tion  of  the  three.  According  to  our  survey, 
68  percent  of  CIOs  increased  their  use  of 
contractors  and  contingent  staff  during  the 
past  year,  23  percent  increased  their  use  of 
onshore  outsourcing,  and  18  percent 
increased  their  use  of  offshore  outsourcing. 
For  the  next  year,  47  percent  expect  to 
increase  their  use  of  contingent  staff  and 
contractors. 

“CIOs  faced  with  an  already  bare-bones 
staff  are  told  to  cut  another  10  percent,  and 
the  most  promising  thing  for  them  is  to  look 
at  the  offshore  outsourcing  market  where  they 
can  theoretically  save  30  percent  to  50  per¬ 
cent  in  hard  costs,”  says  Morello.  “If  I’m  a 
CIO  in  the  United  States  and  I’m  being  asked 
to  continue  to  reduce  costs  after  already 
extensive  and  radical  cost-cutting,  I  have  to 
justify  why  I’m  not  considering  offshore.” 

But  while  using  outside  sourcing  options 
can  be  a  good  way  for  CIOs  to  meet  busi¬ 
ness  needs  with  smaller  budgets  and  fewer 
full-time  staff,  their  introduction  can 
increase  in-house  staff  malaise.  This  is  par¬ 
ticularly  the  case  with  outsourcing.  “People 
are  very  reticent  and  nervous,”  Morello 
explains.  “If  you  are  someone  who  has 
shown  that  you’re  a  great  technical  person 
but  that’s  all  you  have — you  don’t  have  any 
business  process  or  management  skills — 
your  role  is  at  risk  because  that  work  is 
moving  overseas,  and  chances  are  you  aren’t 
moving  to  India  with  it.” 

Electronic  Arts’  West  understood  this 
issue  when  he  began  outsourcing  15  percent 
of  the  company’s  development  work  to  two 
middle-tier  Indian  software  companies, 
iEnergizer  in  Noida  and  Cybage  Software 
in  Pune.  “We  originally  started  sending 
work  over  there  because  of  the  nonavail¬ 
ability  of  talented  staffing  in  the  U.S.,  but 
that’s  not  the  situation  today.  Now  we  use  it 
as  a  cost-effective  solution,”  West  says.  To 
help  address  concerns  that  Electronic  Arts’ 
in-house  developers  will  become  obsolete, 
West  has  tried  to  position  the  Indian  play  as 
an  opportunity.  While  he’s  discontinued  hir¬ 
ing  junior  developers,  he’s  encouraging  his 


60  percent  of  IT  executives  said  the  stress  level 
among  their  IT  staffs  is  high  or  very  high.  43  percent 
said  stress  levels  are  higher  than  a  year  ago. 


76  CIO  MAY  1,  2003  •  www.cio.com 


Check  Point  Internet  Security. 

Protect  your  network  at  every  moment,  every  level,  every  location. 


Every  minute,  every  day  Global  Fortune  500  companies  protect  their  networks  with  Check  Point’s  leading  Check  Point' 
Internet  security  solutions.  Only  Check  Point  provides  true  Stateful  Inspection,  the  de  facto  standard  for 
Internet  security.  For  state-of-the-net  protection,  Check  Point  has  developed  SmartDefense,  which  provides 
real-time  detection  and  protection  against  known  and  unknown  attacks.  With  our  leading  Firewall  and  VPN 
solutions  you’ll  get  the  most  secure,  most  scalable  and  most  comprehensive  security  in  the  industry.  Every 
possible  point  of  attack  is  covered  -  from  corporate  headquarters  to  the  remote  employee.  we  Secure  the  internet. 

Find  out  how  to  truly  protect  your  network  by  getting  your  hands  on  our  mission  critical  white  paper  today —“Mitigating  the  SANS/FBI 
Top  20  Internet  Security  Vulnerabilities”  It  will  change  the  way  you  look  at  protecting  your  network,  www.checkpoint.com/top20/cio 


©2003  Check  Point  Software  Technologies  Ltd.  Ail  rights  reserved. 


IT  Staffing 


existing  stateside  developers  to  learn  systems 
analysis  and  gain  more  strategic  skills,  such 
as  getting  to  know  the  business’s  order  man¬ 
agement  processes  to  figure  out  what  com¬ 
mercial  software  might  be  a  good  fit.  “We’re 
trying  to  make  it  an  opportunity  to  develop 
skills  around  managing  offshore  projects 
and  managing  a  distributed  development 
environment,”  West  explains.  “There  is 
always  an  underlying  concern,  and  you  can 
never  take  the  full  fear  out  of  it.  But  we 
make  sure  it’s  seen  as  a  way  to  get  the  job 
done  better  and  faster,  and  not  just  cheaper.” 

The  same  people  issues  crop  up  with 
onshore  outsourcing.  George  Brenckle,  CIO 
of  the  University  of  Pennsylvania  Health 
System  (UPHS),  outsourced  the  majority  of 
his  department  to  First  Consulting  Group,  a 
health-care  IT  services  company.  First  Con¬ 
sulting  took  over  170  of  Brenckle’s  IT 
employees  in  2001  just  after  the  hospital  sys¬ 
tem  posted  a  loss  of  $200  million,  leaving 
just  30  employees  in-house.  “You  can  never 
100  percent  relieve  the  anxiety  of  outsourc¬ 
ing,  but  we  were  very  open  so  the  employees 
knew  who  we  were  talking  to  and  what  we 
were  finding,”  Brenckle  says. 

Brenckle  was  so  concerned  about  em¬ 
ployee  reaction  that  in  the  end,  25  percent 
of  the  contract  with  the  outsourcer  addressed 
staff  issues,  such  as  guaranteeing  that  the 
outsourcer  would  retain  all  UPHS  employees 
for  at  least  a  year  and  ensuring  that  turnover 
would  be  less  than  2  percent.  The  pact  kept 
some  benefits,  such  as  tuition  reimburse¬ 
ment,  that  UPHS  employees  have.  Still,  the 
outsourcer  saw  two  turnover  peaks — one  at 
the  switchover  and  another  1 8  months  later 
when  some  workers  transferred  off  the 
UPHS  account.  But  Brenckle  knows  it  could 
have  been  worse.  Remaining  employees, 
whose  stress  levels  skyrocketed  initially,  even¬ 
tually  got  used  to  the  idea  of  managing  staff 
that  actually  worked  for  another  employer. 

cio.com  How  do  you  keep  staff  happy? 

Share  your  experience  when  you  WEIGH  IN 

with  what’s  worked  for  you  in  keeping  your  IT 

team  productive  in  tight  economic  times.  Go 

to  comment.cio.com/weighin. 


Morale  a  Top 
Concern 

While  CIOs  say  they  will  use  more 
outside  help,  they  remain  concerned 
about  full-time  employees 


CIOs’  top  staffing  concerns  for  2003: 

Demanding 
workloads  and 
preventing 
burnout 

Retaining  needed 
skill  sets 

Low  morale  and 
motivating  staff 

Funding  IT 
training 

Finding/hiring 
needed  skill  sets 


SOURCE:  290 1.T.  EXECUTIVES  AND  OTHER  IT.  PROFESSIONALS 
RESPONDED  TO  CIO'S  SURVEY  ON  I.T.  STAFFING,  ADMINISTERED 
ONLINE  DURING  JANUARY 


CIO  RESEARCH 


“Outsourcing  is  the  kind  of  thing  where  you 
have  to  include  your  staff  on  the  journey. 
You  have  to  be  very  open,”  Brenckle  says. 
“Because  the  reality  of  it  is  that  you  have  an 
IT  department  to  run  before  you  outsource, 
and  you’re  going  to  have  an  IT  department 
to  run  after  you  outsource.” 

“CIOs  will  spend  tons  of  money  analyz¬ 
ing  who  the  right  outsourcer  is  and  on 
which  piece  to  outsource,  but  when  it 
comes  to  focusing  time  and  money  on  peo¬ 
ple  issues,  they  say  they  can’t  afford  it.  But 
that’s  the  one  piece  that  really  matters,”  says 
People3’s  Pittenger.  “Bring  companies  in  to 
hire  your  people  or  have  the  outsourcer  hire 
them.  Take  the  business  strategy  and  make 
it  work  for  your  employees.  It  doesn’t  have 
to  be  a  win-lose  situation.  Besides,  you  have 
survivors  inside  who  aren’t  going  to  stay  if 
they  see  how  you  treat  the  people  who 
don’t  stay.” 

Keller  Williams  Realty’s  Bien  admits  he 
made  a  mistake  when  he  outsourced  strate¬ 
gic  development  to  an  IT  consulting  group  a 
year  ago.  “There’s  a  lot  of  internal  skepti¬ 
cism  when  you  enter  into  a  long-term  rela¬ 
tionship  like  that,  and  the  outsourcer  is 
doing  all  the  neat  and  cool  stuff,  and  your 
internal  staff  is  keeping  the  wires  together,” 
says  Bien,  who  recently  reinsourced  that 


work.  “As  we  go  forward,  we  only  out¬ 
source  commodity  services  in  the  short  term. 
And  what  we  will  keep  in-house  forever¬ 
more  is  the  development  of  strategic  plat¬ 
forms  that  differentiate  us.  It’s  an  employee 
satisfaction  issue.  And  no  one  will  under¬ 
stand  your  strategic  needs  better  than  the 
people  whose  livelihood  depends  on  the  suc¬ 
cess  of  the  company.” 

Get  Used  to  This 

But  what  CIOs  want  to  know  more  than 
anything  is  when  will  this  period  of  deflated 
budgets,  inflated  stress  levels  and  increased 
pressure  to  use  outside  sourcing  options  end? 
Unfortunately,  there’s  no  solid  answer  to  that 
just  yet.  “There’s  a  yearning  [among  IT 
employees]  for  things  to  go  back  to  the  way 
they  were  two  or  three  years  a  go,”  says  Pit¬ 
tenger.  “But  that  period  of  time  was  so  arti¬ 
ficially  inflated  we’ll  never  get  back  to  that.” 

And  while  budgets  have  begun  to  inch  up 
a  bit,  according  to  Forrester’s  Pohlman,  IT 
hiring  is  still  trailing  the  slight  budget 
increases.  “This  problem  is  going  to  con¬ 
tinue  to  get  worse,”  he  says.  “Although 
we’re  seeing  some  CIOs  start  to  increase 
their  spending,  they’re  not  increasing  their 
hiring  [as  much].” 

Though  not  rosy,  the  situation  does  paint 
a  clear  picture  of  what  CIOs  need  to  do — 
everything  they  can  to  take  care  of  their 
workers. 

In  Philadelphia,  city  CIO  Dianah  Neff 
seeks  help  and  understanding.  She’s  looking 
into  automation  tools  that  might  help  her 
small  staff  deal  with  bigger  workloads.  She’s 
telling  her  city  IT  governing  board  that  there’s 
only  so  much  her  staff  can  do.  And  she’s  com¬ 
municating  like  crazy  with  her  employees. 

“Communication  is  the  best  stress  re¬ 
ducer.  The  staff  feels  at  least  a  little  less 
stressed  if  they  understand  what  is  going 
on,”  Neff  says.  “If  they  aren’t  worried  about 
what  management  is  doing,  they  can  focus 
on  their  jobs  or  finding  creative  ways  to  do 
more  with  less.”  HE] 


Contact  Senior  Writer  Stephanie  Overby  via  e-mail 
at  soverby@cio.com. 


78  CIO  MAY  1,  2003  •  www.cio.com 


m**™ i 


We  see  management 
a  little  differently 
from  the  other  guys. 


At  NetlQ,  we  don't  see  a  problem.  Only  solutions. 
Managing  your  Windows  server  environment  is  easier 
than  ever  with  Microsoft  Operations  Manager.  And, 
as  a  key  Microsoft  partner,  NetlQ  extends  Microsoft 
Operations  Manager  to  manage  and  secure  your 
entire  enterprise,  whether  you're  driving  UNIX, 
NetWare,  Linux,  Windows.. .or  all  of  them.  NetlQ. 
We're  the  management  people.  And  nobody  does 
management  smarter.  Nobody. 


CIO  eBook!  Get  your  free  copy  of  From  Chaos  to  Control: 
The  CIO's  Executive  Guide  to  Managing  and  Securing 
the  Enterprise,  www.netiq.com/manageability. 


o. 

net®}. 

Work  Smarter® 


©Copyright  2003  NetlQ  Corporation.  All  rights  reserved. NetlQ  and  the  NetlQ  logo  are  registered  trademarks  of  the  NetlQ  Corporation. 
All  other  names  and  products  mentioned  herein  may  be  the  registered  trademarks  of  their  respective  companies. 


SYMPOSIUM  AND  AWARDS  CEREMONY 


AUGUST  17-19,  2003  •  THE  BROADMOOR  •  COLORADO  SPRINGS,  CO 

Leadership  and  Innovation  for 

What  Works  Now 


Winning  Ideas 

Our  CIO  100  Award  Winners  dis¬ 
cuss  how  they  deal  with  staff 
morale  and  retention  issues,  how 
they  foster  a  culture  of  resource¬ 
fulness,  and  how  they  build  better 
business  cases  to  gain  manage¬ 
ment  support. 

"One  of  the  most  organized  and  sub¬ 
stantive  conferences  that  I’ve 
attended  in  many  years.  Excellent 
networking  opportunities  as  well. " 

—Joseph  J.  Smith,  Vice  President  of 
Private  Programs  &  CIO,  Arkansas 
Blue  Cross  and  Blue  Shield 


Presented  by 


CIO 


The  Resource  for 
Information  Executives 


Solid  Peer  Advice 

Small  working  groups  of  CIOs 
explore  the  challenges  and  best 
practices  of  specific,  critical 
IT/business  topics  in  our 
Executive  Mindshare  sessions. 
Share  experiences,  lessons 
learned,  mistakes  and  new  ideas 
for  tackling  common  problems. 
Get  solid  ideas  to  make  your  orga¬ 
nization  more  resourceful. 

“With  the  intensity  of  day-to-day 
business  in  the  IT  world,  this  pro¬ 
vided  a  refreshing  perspective  on 
the  current  state  and  the  future 
direction  for  CIO  visionaries  and 
actionaries.  ” 

—John  C.  Carrow,  Vice  President  & 
CIO,  Unisys  Corp. 


The  Best  Networking 

We  give  you  more  opportunities  to 
meet  with  your  peers:  the  Sunday 
CIO  golf  tournament,  the  network¬ 
ing  receptions  every  day,  break¬ 
fast  and  lunch  roundtables  and 
evening  hospitalities.  We  help  you 
make  the  connections  to  make  the 
most  of  your  time  while  you’re 
with  us. 

“The  CIO  100  Symposium  offers  an 
opportunity  to  network  with  peers 
unmatched  by  any  other  I’ve 
attended.  It  will  be  on  my  ‘must 
attend ’  list  in  the  future. " 

—Jim  Burdiss,  Vice  President  &  CIO, 
Smurfit-Stone  Container  Corp. 


This  year's  CIO  100  Awards 
Ceremony  is  proudly  underwritten  by 


® 


To  enroll,  call  800  355-0246  or  visit  our  Web  site  at  www.cio.com/conferences 


The  Resourceful  Enterprise 

Organizations  that  figure  out  howto  generate  greater  value  with  more  limited  IT  resources  thrive 
whatever  the  state  of  the  economy.  They  demonstrate  leadership,  innovation— and  resourceful¬ 
ness.  This  year,  CIO  magazine  honors  100  organizations  that  have  successfully  done  more  with 
less.  And,  we  continue  our  tradition  of  looking  toward  the  future  by  bringing  together  major 
thought-leaders  to  share  where  they  bel  ieve  business,  industry  and  technology  are  heading. 


Paul  Saffo 

Director  of  The  Institute  for 
the  Future,  joins  us  again  as 
Symposium  moderator,  and 
talks  about  why  he  thinks 
we  are  poised  on  the  verge 
of  an  onslaught  of  techno¬ 
logical  innovation  that  will 
affect  every  corner  of  busi¬ 
ness  and  society  in  the 
decades  ahead— even 
thought  at  first  glance,  this 
coming  wave  seems  to  defy 
anticipation,  much  less 
meaningful  assessment  of 
its  likely  impacts. 


W.  Brian  Arthur 

Citibank  Professor  of  the 
Sante  Fe  Institute,  shares 
his  views  on  how  IT  is  being 
reinterpreted  by  old,  tradi¬ 
tional  industries— resulting 
in  completely  new  sub¬ 
industries  such  as 
genomics,  proteomics, 
financial  engineering,  smart 
pharmaceuticals,  nanotech¬ 
nology,  and  the  like.  They 
are  being  born  out  of  IT,  and 
will  change  our  lives  and  our 
businesses. 


Howard  Rheingold 

Futurist  and  Guru  of  Digital 
Culture,  gives  us  his  obser¬ 
vations  on  the  societal 
impact  of  the  “smart  mob” 
phenomenon.  They  are  able 
to  harness  the  combination 
of  mobile  communications, 
the  Internet  and  pervasive 
computing  to  enable  people 
to  interact  and  cooperate  in 
ways  never  before  possible. 
We’ve  already  seen  the 
changes  in  the  way  people 
meet,  mate,  work,  war,  buy, 
sell,  govern  and  create. 


Abbie  Lundberg 

Editor  in  Chief,  CIO  Maga¬ 
zine,  hosts  a  panel  of  award 
winning  CIOs  sharing  how 
they  are  Leading  in  an  Age 
of  Extraordinary  Challenge. 
Flow  have  they  been  able  to 
anticipate  the  impact  on 
their  organizations  of  the 
economic  and  political 
events  of  the  past  two 
years?  Flow  have  they 
stepped  up  to  the  many 
challenges  brought  about 
by  new  technologies? 


Sponsored  by 

ACXIOM  APC  Ads 

W  Legendary  Reliability' 


FUJITSU 


0. 

netffi} 

Work  Smarter. 


n saw  is 

The  Network  that  Powers  Wall  Street >• 


PHOTOGRAPHY  BY  JONATHAN  TORGOVNIK 


Q&A  |  Dan  Ariely 


Dan  Ariely’s  research  in  behavioral  economics  seeks 
to  explain  why  CIOs  make  poor  investment  decisions 
and  why  they  don’t  know  what  technology  is  worth 


As  a  CIO,  you’re  familiar  with  the  following  scenario: 

You’ve  sunk  $900,000  into  a  forecasting  system  that’s  expected  to  cost 

$1  million  but  has  yet  to  deliver  on  its  promises.  In  hindsight,  you’ve  realized  that  all  that  money 


; — — 


would  have  been  better  spent  on  a  sales-force  automa¬ 
tion  (SFA)  system.  Nevertheless,  you’ve  still  got 
$100,000  in  your  coffers,  so  instead  of  scrapping  the 
forecasting  system  and  starting  anew  with  SFA  tools, 
you  sink  the  remainder  of  your  money  into  the  fore¬ 
casting  system  and  hope  for  the  best. 

A  foolish  mistake?  Perhaps,  but  not  at  all  unusual, 
according  to  Dan  Ariely,  the  Luis  Alvarez  Renta  pro¬ 
fessor  of  behavioral  economics  at  MIT’s  Sloan  School 
of  Management  and  director  of  the  MIT  Media  Lab’s 
e-rationality  research  group.  As  a  behavioral  econo¬ 
mist,  Ariely  studies  how  people  make  decisions  in  real 
life  and  why  their  decisions  often  deviate  from  classi¬ 
cal  economic  models,  which  assume  that  people  act 
rationally  and  in  their  o 


Ariely,  36,  takes  a  self-described  “armchair” 
approach  to  that  discipline. 

“I  look  at  how  I  behave.  When  I  find  something 
curious  or  bizarre  about  myself,  I  tend  to  look  at  it  in 
more  detail,”  he  says. 

For  example,  Ariely’s  own  tendency  to  procrasti¬ 
nate  led  him  and  a  colleague  to  study  different  meas¬ 
ures  for  overcoming  procrastination.  They  found  that 
people  are  willing  to  set  their  own  deadlines  so  that 
they  don’t  wait  until  the  last  minute.  Yet  while  self- 
imposed  deadlines  help  people  improve  their  perform¬ 
ance,  they  are  not  as  effective  as  deadlines  set  by  others. 

Ariely,  with  his  self-examining  style,  is  one  of  a 
handful  of  academics  challenging  the  intellectual  foun¬ 
dation  of  economics.  For  years,  classical  economists 


www.cio.com 


MAY  1,  2003  CIO 


83 


Q&A  I  Dan  Ariely 


maintained  that  individuals  make  decisions 
based  on  their  own  self-interests.  Ariely’s 
research  on  procrastination,  how  people 
value  goods,  how  they  perceive  pain  and  the 
effects  of  female  physical  beauty  on  the  male 
brain  reveals  the  exact  opposite:  Individuals 
make  irrational  decisions  that  are  not  in 
their  best  interests. 

What  may  interest  CIOs  most  are  Ariely’s 
investigations  into  how  people  value  goods 
and  how  people’s  experiences  of  physical  and 
psychological  pain  affect  their  decisions.  CIO 
Senior  Writer  Meridith  Levinson  caught  up 
with  Ariely  at  his  home  in  Cambridge,  Mass., 
Where  he  explained  his  research,  discussed  it 
in  the  context  of  the  irrational 
decisions  CIOs  make  and  shared 
his  thoughts  on  what  CIOs  can 
do  to  make  more  rational  finan¬ 
cial  decisions. 

CIO:  Your  research  shows  that 
people,  including  CIOs,  don’t 
know  how  to  value  or  set  prices 
for  various  goods.  How  did  you 
come  to  that  conclusion? 

Dan  Ariely:  We  [Ariely  and  fel¬ 
low  researchers  Drazen  Prelec 
and  George  Loewenstein]  con¬ 
ducted  a  second-price  auction  in 
class.  We  sold  MBA  students 
keyboards,  [computer]  mice, 
bottles  of  wine,  DVDs,  books 
and  chocolate.  We  explained  the 
procedure  for  a  second-price 
auction  where  the  highest  bid¬ 
der  pays  the  second  highest  bidder’s  price. 
We  described  each  of  the  products  and  said 
to  the  students,  “Before  you  tell  us  your 
bids,  please  tell  us  the  last  two  digits  of  your 
Social  Security  numbers  and  translate  those 
last  two  digits  into  a  dollar  figure.”  So  if 
your  last  two  digits  are  44,  that’s  $44.  Then 
we  asked  them  to  tell  us  whether  they  would 
pay  the  amount  of  money  indicated  by  the 
last  two  digits  of  their  Social  Security  num¬ 
bers  for  the  various  products. 

What  did  you  find? 

The  people  with  the  highest  Social  Security 


numbers,  in  most  cases,  bid  100  percent 
more  than  people  with  the  lowest  Social 
Security  numbers. 

In  that  experiment,  you  were  also  testing  a 
concept  called  coherent  arbitrariness.  Can 
you  explain  what  that  is? 

It’s  the  idea  that  people  do  not  know  how 
much  to  pay  for  anything.  They  will  rely  on 
their  own  arbitrary  judgments  to  generate  a 
value,  and  the  value  they  generate  will  be 
coherent  in  the  sense  that  it  will  be  based  on 
the  value  of  a  similar  item.  For  example, 
when  we  sold  a  large  box  of  chocolates  and 
a  small  box  of  chocolates  everybody  said, 


“We’ll  pay  $X  more  for  the  big  box  than  the 
small  box.”  Once  the  price  of  a  product  [in 
this  case,  the  small  box  of  chocolates]  was 
fixed,  the  prices  of  similar  products  were  set 
in  a  relative  manner. 

How  does  that  research  apply  to  prices 
that  CIOs  pay  for  IT? 

Imagine  that  an  organization  is  thinking  of 
creating  a  database.  Why  does  it  care  what 
Oracle  thinks  [the  database]  should  cost?  The¬ 
oretically,  the  company  should  be  able  to  say, 
“How  good  is  this  [database]  for  us?”  Often 
it  relies  on  prices  that  it  or  others  have  paid  for 


similar  products  in  the  past.  “That  database 
was  $2  million.  This  database  is  twice  as  big 
so  we  should  be  able  to  pay  at  least  $4  mil¬ 
lion.”  It’s  hard  to  figure  out  the  value  of  an  IT 
investment.  If  what  you’re  willing  to  pay  is  a 
function  of  what  you  paid  before,  that’s  a 
problem  because  it  means  you  don’t  know 
what  it’s  worth. 

Is  hardware  an  exception  to  what 
you've  found,  since  its  price  decreases 
every  year? 

The  fact  that  the  cost  of  hardware  decreases 
every  year  is  an  additional  factor  people  take 
into  consideration  when  estimating  a  price. 

They  still  set  prices  in  a  relative 
manner.  They  begin  with  the 
starting  level  price — what  they 
paid  last  year — then  they  adjust 
it  based  on  factors  that  seem  rel¬ 
evant.  In  the  case  of  hardware, 
you’re  expecting  prices  to  go 
down. 

How  should  CIOs  evaluate  the 
value  of  a  database  or  any  other 
IT  investment? 

They  should  not  compare  data¬ 
bases  to  databases.  They  should 
compare  the  database  with  all  pos¬ 
sible  IT  investments.  People  have  a 
tendency  to  make  decisions  in 
silos.  We  think  about  whether  or 
not  to  invest  in  a  new  database  or 
to  allocate  salaries  separately.  It’s 
better  to  think  across  categories  to 
find  out  where  the  best  value  is.  Should  we 
update  software?  Hardware?  Move  to  a  new 
operating  system? 

Can  you  explain  why  people  rely  on  those 
apples-to-apples  comparisons  to  deter¬ 
mine  or  rationalize  what  they’re  spending? 

It’s  so  simple.  It’s  seductive.  It  appears  rational. 

Evaluating  these  things  is  hard.  I  don’t 
want  to  say  people  are  stupid.  Go  back  to 
the  example  I  gave  you  with  the  box  of 
chocolates.  How  do  you  evaluate  the  value 
of  a  piece  of  chocolate?  You  know  what  its 
sweet  taste  and  soft  melting  texture  is  like, 


8  4 


CIO  MAY  1,  2003 


www.cio.com 


CIO  ENTERPRISE  VALUE  AWARDS 


Honoring  Business  Achievement  Through 
the  Innovative  Use  of  Information  Technology 

DEADLINE:  MAY  15,  2003 


The  Resource  for  Information  Executives 


2004 

CIO  ENTERPRISE  VALUE  AWARDS 


Honoring  Business  Achievement  Through 
the  Innovative  Use  of  Information  Technology 

PREVIOUS  WINNERS 


APCOA  Inc.  1995 

AT&T  Universal  Card  Services 
Corp.  1994 

Bell  Atlantic  Corp.  1997 

Black  &Veatch  1998 

Brigham  &  Women’s  Hospital  1996 

Capital  One  Financial  Corp.  1999 

Caterpillar  Inc.  1995 

Charles  Schwab  &  Co.  2000 

The  Chase  Manhattan  Corp.  1997 

Chicago  Bureau  of  Parking  1994 

Commonwealth  of 
Massachusetts  1995 

Complete  Health  Services  Inc.  1994 

Con-Way  Transportation 
Services  Inc.  2003 

Dell  Computer  Corp.  2000 

The  Dow  Chemical  Co.  2002 

Enterprise  Rent-A-Car  2002 

Fidelity  Investments  1997 

Gensym  Corp.  1996 

Harrah’s  Entertainment  Inc.  2001 

Health  Decisions  Inc.  2003 

Household  Financial  Corp.  2000 

Hyatt  Hotels  &  Resorts  1995 

Kmart  Corp.  1995 

Lone  Star  Gas  Co.  1993 

Los  Angeles  County  Department  of 
Public  Social  Services  1994 

McDonnell  Douglas  Helicopter 
Systems  1996 


MacGregor  Medical 
Association  1997 

Medical  Center  of  Delaware  1993 

Michigan  Department  of 
Transportation  2002 

The  MITRE  Corp.  1999 

New  York  City  Department  of 
Finance  1998 

New  York  City  Transit  Authority  1993 

Office  Depot  Inc.  2001 

PA  Department  of  Environmental 
Protection  2002 

PC’s  Compleat  Inc.  1995 

The  Perrier  Group  of 
America  Inc.  1993 

Pfizer  Inc.  2000 

PPG  Industries  Inc.  1999 

Procter  &  Gamble  1998 

Rockwell  Space  Systems  Division 
(SSD)  1996 

The  SABRE  Group  1999 

SBC  Communications  Inc. 

1999,  2002 

Schlumberger  Ltd.  1997 

South  Florida  Water  Management 
District  1994 

State  Street  Global  Advisors  1998 

SynOptics  Communications  Inc. 

1994 

Tech  Data  Corp.  1998 
Telogy  Inc.  1996 
Texas  Instruments  1993 


The  Wharton  School  of  the 
University  of  Pennsylvania  2003 

Travelers  Managed  Care  and 
Employee  Benefits  Operations  1993 

Tufts  University  2001 

United  Healthcare  Corp.  1996 

U.S.  Army  Pacific  Regional  Program 
Office  2000 

U.S.  Environmental  Protection 
Agency  1998 

University  of  Illinois  Medical 
Center  2003 

U.S.  Securities  and  Exchange 
Commission  2003 


Presented  by 


CIO 


The  Resource  for 
Information  Executives 


For  More  Information 

Visit  the  awards  website  at 
www.cio.com/eva  or  contact 
Lynne  Rigolini  at eva@cio.com 
or  call  508-935-4088. 

Download  the  Application  at 

www.cio.com/eva 

Deadline  for  entry 

May  15,2003 


i 

j 


t 


] 

You’ve  Picked 

a  Winner! 


Often  hailed  for  its  preeminence 
as  the  “Pulitzer  Prize  of  the  business 
press,"  the  Neal  Award  is  the 
business  publishing  industry’s 
annual  salute  to  individual  editors 
for  outstanding  editorial  excellence. 

■X- SOURCE:  CIO  READER  PROFILE  STUDY. 

MRI.  AUGUST  2002 


CIO  magazine  is  the  proud  recipient  of  the 
prestigious  2003  Grand  Neal  Award— the 
top  editorial  honor  granted  to  one  publica¬ 
tion  from  more  than  1,000  entries  across 
all  categories  and  circulation  sizes.  CIO 
also  won  Neal  Awards  for  “Best  How  To” 
for  the  2002/2003  Year-End  Issue  and 
“Best  Article”  for  “Microsoft’s  New  Sub¬ 
scription  Plan:  CIOs  Just  Say  No.” 

The  Neal  Award  judges  aren’t  the  only  ones 
who  prefer  CIO  magazine.  CIOs  choose  CIO 
as  the  one  publication  they  rely  on  for  in¬ 
sight  and  strategies  for  managing  ITT 

NOW  THAT’S  WHAT  WE  CALL  AN  AWARD! 


CIO 


The  Resource 
for  Information 
Executives 


Q&A  |  DanAriely 


Dut  how  you  translate  that  into  money  is 
quite  complex.  And  chocolate  is  supposed 
to  be  easy.  Theoretically,  you  do  this  all  the 
time.  So  how  do  you  deal  with  a  database? 
How  do  you  take  all  of  its  complexities  into 
account?  People  use  these  heuristics,  these 
shortcuts,  these  relative  comparisons  that 
seem  to  give  us  the  reason  to  make  choices. 
A  lot  of  times  you  don’t  compute;  you  just 
look  for  reasons  to  do  one  thing  over 
another.  Those  are  reason-based  choices. 

A  lot  of  companies  are  holding  back  on  IT 
investments  because  of  the  weak  econ¬ 
omy.  Are  they  acting  irrationally? 

It’s  hard  to  say  for  sure.  It’s  a  question  of 
how  you  look  at  your  portfolio  of  deci¬ 
sions.  Do  you  look  at  the  decisions  one  at 


side  and  don’t  take  the  risk.  You’re  risk 
averse.  If  an  organization  thinks  of  10  deci¬ 
sions  separately,  it  might  not  take  enough 
risk.  When  you  think  about  a  lot  of  gam¬ 
bles,  or  when  you  look  at  all  the  decisions 
together,  you  take  on  much  more  risk 
because  the  fear  of  losing  a  lot  on  a  single 
project  is  mitigated. 

In  essence,  companies  are  being  irrational 
if  they  are  evaluating  IT  investments  in  a 
silo;  whereas  if  they  are  evaluating  them 
as  a  portfolio,  they  are  being  rational? 

It’s  irrational  when  the  outcome  of  their  deci¬ 
sions  is  different  when  they  evaluate  their 
investments  one  at  a  time  as  opposed  to  all 
together.  It’s  fine  to  look  at  investments  sep¬ 
arately  if  the  outcome  is  the  same  as  when 


pany.  You  have  a  project.  The  project  is 
established  to  cost  $1  million.  You’ve 
already  spent  $900,000.  The  sunk  cost  is 
what  you’ve  already  spent.  It’s  the  idea  of 
throwing  good  money  after  the  bad.  Then 
you  find  out  there  was  a  better  project  to 
pursue.  Would  you  spend  the  next 
$100,000  to  finish  the  project?  Would  your 
answer  be  different  if  you  hadn’t  [already] 
spent  $900,000?  You  made  a  decision.  It 
didn’t  turn  out  as  you  wanted.  If  you  were 
an  economically  rational  person,  what 
you’ve  spent  in  the  past  wouldn’t  influence 
your  behavior  in  the  present.  It’s  the  same 
if  you  invest  in  some  legacy  system  and  the 
payments  will  last  five  years,  and  after  three 
years,  you  discover  it’s  not  really  what  you 
need  anymore.  Are  you  likely  to  switch  if 


•When  companies  look  at  investments  one  at  a 
time,  they  re  more  risk  averse.  Being  risk  averse 


can  be  a  very  bad  thing  for  a  company  ^  ^ 


Dan  Ariely 


a  time  or  in  total?  For  example,  if  I  asked 
you  to  play  a  game  where  I  flip  a  coin  and 
if  it  lands  heads,  I  give  you  $140.  But  if  it 
lands  tails,  you  give  me  $100.  If  I  asked 
you,  “Would  you  play  this  game  once,” 
you’d  say  no.  If  I  asked  you,  “Would  you 
play  this  game  100  times,”  you’d  say  yes. 
Why  should  things  be  different  if  you  play 
something  one  time  or  100  times?  This  is 
something  called  Samuelson’s  Paradox. 
When  you  focus  on  one  decision  and  real¬ 
ize  the  downside,  you  focus  on  the  down- 


cio.com  Decisions,  decisions. 

If  IT  investment  decision-making  has  got  you 
down,  check  out  our  I.T.  VALUE  RESEARCH 
CENTER  for  more  tips,  tools  and  techniques. 
Go  to  www.cio.com/itvalue. 


you  look  at  all  of  them  together.  The  prob¬ 
lem  is,  I  suspect  the  outcome  is  not  the  same. 

In  light  of  your  explanation,  is  taking  a 
portfolio  management  approach  to  IT 
investments  a  good  idea  for  CIOs? 

Yes.  When  companies  look  at  investments 
one  at  a  time,  they’re  more  risk  averse.  Being 
risk  averse  can  be  a  very  bad  thing  for  a 
company.  (For  more  on  portfolio  manage¬ 
ment,  see  “Portfolio  Management:  How  to 
Do  It  Right,”  Page  56.) 

Related  to  being  risk  averse,  CIOs  also  fall 
victim  to  making  IT  investment  decisions 
based  on  money  they’ve  spent  in  the  past, 
a  theory  you  refer  to  as  the  sunk  cost.  Can 
you  explain  what’s  irrational  about  it? 
Imagine  this  scenario:  You  work  in  a  com- 


you’re  still  making  payments  on  the  old 
project?  It  might  be  very  painful  to  pur¬ 
chase  the  new  one  if  you’re  still  making 
payments  on  the  old  one. 

What  should  CIOs  do  when  a  more  worth¬ 
while  project  or  investment  comes  along 
after  they've  already  spent  a  lot  of  money 
on  something  else? 

Again,  they  should  think  about  what’s 
the  best  use  of  a  dollar  and  ignore  the  past. 
I’m  saying  it  as  if  it’s  an  easy  thing  to  do. 
It’s  not. 

CIOs  often  hire  consultants  that  tell  them 
what  they  already  know  or  what  they  want 
to  hear.  How  does  your  research  explain 
that  seemingly  irrational  decision? 

It’s  an  issue  of  accountability.  People  dcm!t 


Q&A  |  DanAriely 


want  to  make  mistakes.  They’re  afraid  to  be 
fired.  They’re  afraid  their  bonuses  will  be 
affected.  People  are  trying  to  cover  their 
tracks.  They  hire  consultants  to  tell  them  what 
they  already  think.  It’s  like  IBM  used  to  say, 
“Nobody  ever  got  fired  for  buying  IBM.” 

You  can  also  ask  the  question,  are  con¬ 
sultants  really  free  to  find  what  they  want? 
It’s  an  issue  of  conflict  of  interest.  If  I’m 
being  paid  by  you,  I  like  you,  and  you  want 
me  to  find  X,  am  I  really  going  to  find  that 
X  is  wrong?  There  are  dependencies  in  these 
relationships. 

You’ve  found  in  your  research  that  pain 
and  people’s  experience  of  pain,  whether 
physical  or  psychological,  often  cause 
them  to  make  knee-jerk  decisions.  Could 
you  elaborate  on  the  experiment  you  did  in 
this  area? 

We  put  someone  in  a  wet  suit  with  tubes 
running  through  it  that  carry  cold  and  warm 
water.  We  ran  cold  water  through  the  wet 
suit,  cooling  him  down  to  46  degrees 
Fahrenheit.  That’s  very  cold.  We  tell  him 
that  we’re  starting  the  experiment,  and  we 
change  the  water  temperature.  So  he  started 
off  being  very  cold,  now  the  water  becomes 
wonderfully  warm.  Then  we  cool  the  water 
off  again.  Then  we  stop  changing  the  water 
temperature  and  ask  him,  “How  painful 
was  this?” 


FINALLY.  BUSINESS 
SOLUTIONS  THAT 
WORK  WITH  EXISTING 

TECHNOLOGIES 
AND  NONEXISTENT 

BUDGETS. 


You  need  to  get  more  out  of  what  you  have.  We  have  just  the  thing: 


What  did  you  find? 

That  people’s  perception  of  pain  depended 
on  the  pattern  of  pain. 

What  are  the  implications  of  that  experi¬ 
ment,  and  how  do  they  tie  in  with  the 
research  you’ve  done  on  irrationality? 

Say  you  use  an  ISP  that  improves  its 
reliability  from  80  percent  to  90  percent. 
That  ISP’s  reliability  is  perceived  as  better 
than  an  ISP  whose  reliability  is  consistent 
or  started  at  90  percent  and  went  down 
to  80  percent.  If  things  improve,  we  are 
happy.  BE! 


solutions  based  on  our  open  technology  platform,  SAP  NetWeaver.'1  Because  it’s 
preconfigured  to  work  with  your  current  IT  investments  —  and  it’s  fully  operable 
with  .NET  andJ2EE  — SAP  Net  Weaver  reduces  the  need  for  custom  integration. 
That  lowers  your  total  cost  of  ownership  for  your  entire  IT  landscape  and  gets 
you  quicker  ROI.  Everything  a  CIO  wants  (and  a  CFO  didn’t  think  was  possible). 
Visit  sap.com/netweaver  or  call  800  880  1727  for  details. 

THE  BEST-BIIN  BUSINESSES  RUN  SAP 


Senior  Writer  Meridith  Levinson  can  be  reached  at 
mievinson@cio.com .  _ _ _ _ 


©2003  SAP  AG.  SAP  and  the  SAP  logo  are  registered  trademarks  of  SAP  AG  in  Germany  and  several  other  countries.  Other  product  or  service  names  mentioned  herein  are  the 
trademarks  of  their  respective  owners. 


Sales  and  Marketing  Automation 


THE  NEXT  CHAPTER 


Application  service  providers  are  increasingly  viewed  as  a  viable  solution 
in  the  CRM  space,  particularly  for  small  and  midsize  companies 

BY  MERIDITH  LEVINSON 

A 

JL.  jLdlied  Office  Products  lost 
$8  million  worth  of  business  when  the  World  Trade  Center, 

where  many  of  its  customers  worked,  was  destroyed.  In  the  aftermath  of  the  tragedy,  the  $300  million  office  prod¬ 
ucts  company  was  forced  to  lay  off  employees  and  reevaluate  its  entire  business  and  sales  strategy.  Executives  came 
up  with  a  plan  to  generate  new  accounts  and  reactivate  those  that  had  lapsed.  They  also  decided  they  needed  a  sales- 
force  automation  (SFA)  system  that  would  improve  customer  service  and  enhance  sales  employees’  productivity.  They 
eventually  zeroed  in  on  an  ASP  that  promised  reasonable  costs  and  a  quick  turnaround. 

However,  ASPs  held  a  number  of  negative  connotations  for  Allied  executives,  who 
remembered  the  ASP  meltdown  in  2000,  when  scores  of  hosted  software  companies  went 
out  of  business  after  the  dotcom  collapse.  COO  Mike  Palmer,  who  was  CIO  at  the  time 
his  company  was  searching  for  an  SFA  product,  worried  that  the  ASP  he  had  settled  on — 

SalesForce.com — might  go  out  of  business  in  the  chilly  economic  climate  for  IT  spending. 

He  was  also  concerned  that  a  hosted  solution  couldn’t  be  customized  or  easily  integrated 
with  his  company’s  back-end  systems.  And  he  obsessed  about  whether  the  ASP  could 
provide  adequate  protection  for  his  company’s  crown  jewels — its  customer  data. 

But  in  spite  of  those  reservations,  he  made  the  leap  of  faith  because  of  SalesForce’s 
cheap  price  tag  and  promise  of  fast  implementation.  Allied  began  rolling  out  the 


Reader  ROI 

►  Why  ASPs  may  provide  a 
viable  solution  for  sales- 
force  automation 

►  How  some  companies 
have  used  ASPs  for  online 
customer  self-service 

►  Whether  ASPs  are  the 
right  fit  for  your  company 


88  CIO  MAY  1,  2003  •  www.cio.com 


PHOTO  BY  CLIVE  FROST 


Much  to  his  surprise, 

Dave  Bevan,  general 
manager  for  e-service  for 
British  Airways,  found 
that  integrating  and  cus¬ 
tomizing  a  hosted  solution 
was  no  more  difficult  than 
integrating  a  licensed 
software  package. 


Sales  and  Marketing  Automation 


SalesForce.com  product  to  its  220  sales  and 
sales-support  employees  in  April  2002. 

Two  months  later,  165  salespeople  were 
using  the  hosted  software,  and  Palmer  was 
in  for  a  big  surprise.  The  concerns  he  had 
had  about  the  vendor’s  financial  stability, 
security  and  service  levels  turned  out  not  to 
be  major  issues.  And  while  not  trivial,  the 
obstacles  his  company  ran  into  integrating 
SalesForce.com’s  team  edition  with  its  legacy 
systems  were  surmountable.  The  biggest 
problems  Palmer  confronted  with  the  hosted 
solution  had  to  do  with  the  age-old  buga¬ 
boo  of  convincing  salespeople  to  adopt  new 
processes  and  tools — the  same  change 
management  issues  that  bedevil  any  tech¬ 
nology  implementation,  whether  done  in- 
house  or  hosted. 

If  Allied’s  experience  with  SalesForce.com 
is  any  indicator,  it  may  be  time  for  CIOs  to 
get  over  their  (not  unfounded)  aversion  to 
ASPs.  Those  who  witnessed  the  collapse  of 
the  ASP  market  (when  revenue  growth 
declined  by  86  percent  from  2000  to  2002) 
might  still  have  a  lingering  bad  taste  in  their 
mouths.  But  in  the  CRM  space  at  least,  ASPs 

Five  Reasons 
Why  an  ASP 
May  Work  for  You 

Here  are  criteria  you  can  use  to 
evaluate  whether  a  CRM  ASP  is 
right  for  your  company 


IYou  don’t  have  an  IT  staff,  or  your 
IT  staff  is  small. 

You  don’t  have  a  big  technology 
infrastructure. 

You  don’t  have  well-established, 
deeply  ingrained  sales  processes. 

You  don’t  have  the  luxury  of  12  to 
18  months  to  deploy  an  application. 

5  You  don't  have  or  don’t  want  to 
spend  a  lot  of  money. 

*  -M.L. 


are  increasingly  being  seen  as  a  viable  solu¬ 
tion,  particularly  for  small  and  medium-size 
companies.  The  surviving  vendors  have 
matured  and  largely  rectified  the  security  and 
service  problems  that  dogged  them  in  the 
past.  CIOs,  of  course,  still  have  to  be  on  their 
guard  against  overblown  promises  that 
ASPs — or  any  vendor  for  that  matter — make 
about  instantaneous  ROIs  and  quick  deploy¬ 
ments.  While  ASP  deployments  are  quicker 
than  packaged  implementations,  they  still 
take  longer  than  the  vendors  say  they  will, 
and  the  ROI  always  takes  longer  to  achieve. 

Even  so,  an  increasing  number  of  compa¬ 
nies,  including  Allied,  British  Airways,  Sov¬ 
ereign  Bancorp  and  engine  manufacturer 
Briggs  &  Stratton,  have  made  the  ASP  model 
work  for  them.  British  Air  found  ways  to 
integrate  a  hosted  customer  self-service 
application  with  its  customer  database  and 
was  pleasantly  surprised  to  learn  that  a  small 
ASP  could  support  its  huge,  international 
Web  presence.  Sovereign  discovered  a  hosted 
SFA  solution  that  was  so  easy  to  customize 
that  the  company  could  put  the  task  of  cus¬ 
tomizing  the  application  in  hands  of  the 
non-IT  employees.  And  Briggs  &  Stratton 
found  that  letting  an  ASP  host  the  customer 
self-service  application  on  its  website  ulti¬ 
mately  resulted  in  zero  downtime  for  the  site. 
For  those  enterprises,  going  with  a  hosted 
solution  turned  out  to  be  easier  and  less 
costly  than  rolling  out  and  maintaining  an 
enterprise  software  package  themselves. 

“If  you  go  with  a  client/server-based  appli¬ 
cation,  you  have  to  deal  with  both  the  tech¬ 
nical  implementation  and  the  cultural  issues,” 
says  Allied’s  Palmer.  “With  an  ASP,  all  of  the 
technology  is  sitting  in  their  data  centers.  All 
you  have  to  worry  about  is  adoption.” 

Overcoming  Your  Fears 

One  of  the  biggest  worries  CIOs  had 
about  ASPs  in  their  heyday  was 
security.  Would  their  hosted  data 
be  secure  from  competitors,  hackers,  the 
outside  world? 

Bill  Patten,  director  of  MIS  and  project 
administration  for  Sovereign  Bancorp,  a 


$342  million  bank  headquartered  in 
Philadelphia,  was  particularly  obsessed  with 
the  security  issue.  So  while  the  idea  of  a 
hosted  solution  for  sales-force  automation 
appealed  to  him,  Patten  and  his  IT  staff 
spent  weeks  researching  the  security  meas¬ 
ures  their  ASP  candidate,  Salesnet,  had  in¬ 
stalled  before  signing  on  in  the  fall  of  2001. 

The  staffers  began  by  visiting  Salesnet’s 
data  centers  in  Boston.  They  evaluated  the 
firewalls,  encryption  techniques,  socket  secu¬ 
rity  features,  intrusion  detection  systems  and 
other  protections  the  vendor  had  on  its 
servers.  They  also  asked  to  see  the  results  of 
Salesnet’s  own  security  audits.  Eventually, 
they  came  back  with  a  thumbs-up. 

“It  took  a  while  for  us  to  become  con¬ 
vinced  that  the  privacy  of  our  customer 
information  was  never  at  risk,”  Patten  says. 
The  MIS  director  was  also  reassured  by  the 
fact  that  Salesnet,  which  was  founded  in 
1997,  had  not  only  survived  the  dotcom  col¬ 
lapse  but  was  steadily  expanding  its  network 
of  profitable  customers. 

Patten’s  next  big  concern  was  how  easy 
(or  hard)  it  would  be  to  customize  the 
Salesnet  application.  Fie  knew  he  wouldn’t 
be  able  to  change  the  underlying  code,  but 
he  also  knew  he  couldn’t  do  that  very  easily 
with  packaged  applications  either. 

What  Patten  discovered  was  that  the 
Salesnet  product  would  allow  his  company 
to  tailor  the  application’s  user  interface 
according  to  Sovereign’s  sales  processes  and 
lexicon.  The  customization  was  so  easy,  in 
fact,  that  administrative  assistants  through¬ 
out  the  company  could  do  it. 

Using  pull-down  menus,  drag-and-drop 
fields  and  point-and-click  maneuvers,  the 
administrative  staff  mapped  Sovereign’s  sales 
process  to  the  software  to  create  whole  new 
layouts  of  information,  modify  existing  lay¬ 
outs,  change  the  way  fields  were  labeled, 
and  design  pick  lists  (drop-down  menus  of 
information  that  salespeople  can  select).  Pat¬ 
ten  says  the  application  was  rolled  out  to 
325  employees  in  six  months. 

Salesnet  has  “these  analysts  that  work 
with  you  to  help  you  figure  out  the  processes 
you  have  and  how  you’re  going  to  cus- 


90  CIO  MAY  1,  2003  •  www.cio.com 


PHOTO  BY  EDWARD  SANTALONE 


When  Mike  Palmer,  the  former  CIO  of  Allied  Office  Products  and  now  COO, 
signed  up  with  an  ASP  for  sales-force  automation,  he  still  had  to  deal  with 
recalcitrant  users  who  didn’t  want  to  use  the  new  tools  and  processes. 


tomize  their  application  to  them,  which  is 
pretty  amazing,”  says  Paul  Greenberg, 
author  of  CRM  at  the  Speed  of  Light.  He 
believes  that  “Salesnet  does  the  best  job  of 
all  the  ASPs  in  customizing  the  application 
according  to  its  customers’  sales  processes.” 

Patten  would  agree.  He  says  the  cus¬ 
tomization  his  staff  had  to  do  didn’t  cost  the 
company  more  money.  “It  doesn’t  drive  up 
the  cost  even  incrementally  because  of  its 
simplicity,”  he  says. 

British  Airways  was  also  pleasantly  sur¬ 
prised  by  its  experience  in  customizing  and 
integrating  an  ASP  solution.  The  $11.9  billion 
airline  had  signed  a  contract  with  RightNow 
Technologies  to  automate  the  creation  and 
management  of  different  FAQ  pages  on  its 
website,  BA.com.  British  Airways  knew  it 
would  have  to  radically  change  the  ASP’s 
standard  product  to  suit  its  exacting  needs. 
For  instance,  the  airline  needed  to  automati¬ 
cally  develop,  manage  and  post  different  sets 
of  FAQs  for  different  customers,  depending 


on  whether  they  were  members  of  British 
Air’s  loyalty  program.  If  the  customer  was 
enrolled  in  the  program,  the  technology  had 
to  identify  his  tier  (low,  middle  or  high  end). 
That  way,  if  British  Air  offered  a  special  pro¬ 
motion  exclusively  to  top-tier  members,  it 
could  post  information  about  that  promo¬ 
tion  in  a  Q&A  format  on  a  page  that  was 
accessible  only  to  top-tier  members  and  not 
to  lower-tier  participants  or  other  customers. 

Setting  up  this  capability  meant  that 
British  Air’s  customer  database  and  Web 
authentication  system  had  to  pass  customer 
information  to  RightNow  in  real-time  so 
that  the  ASP  could  identify  customers  based 
on  their  membership  status  and  provide  the 
appropriate  FAQ  page.  Dave  Bevan,  British 
Airways’  general  manager  for  e-service,  says 
that  getting  RightNow’s  eService  Center 
application  to  dance  to  his  company’s  tune 
was  not  easy.  “It  was  quite  challenging 
because  we  were  trying  to  do  things  quickly 
and  were  quite  demanding  of  time  scales,” 


he  says.  Daniel  Butcher,  lead  developer  with 
British  Air  on  the  RightNow  project,  says 
the  integration  work  his  company  and 
RightNow  needed  to  do  was  trickier  than 
he  had  anticipated.  The  difficulty  lay  in  pre¬ 
venting  end  users  from  being  kicked  off 
BA.com  and  onto  RightNow’s  website — a 
fix  that  required  writing  a  small  application 
to  parse  HTML  and  make  sure  hyperlinks 
were  requested  through  British  Air’s  server. 

Despite  those  difficulties,  British  Air  met  its 
deadlines  and  launched  the  product  on  sched¬ 
ule.  Bevan  attributes  that  success  to  the  chem¬ 
istry  between  RightNow’s  and  BA’s  staffs. 
“The  two  teams  got  on  remarkably  well. 
There  was  quite  a  positive  attitude  on  both 
sides  of  the  house,  and  that  did  see  us 
through,”  he  says.  In  sum,  he  says  integrating 
a  hosted  solution  was  no  more  difficult  than 
integrating  a  licensed  software  package. 

When  ASPs  first  emerged  in  the  late 
1990s,  they  had  a  lot  of  problems  with  seal- 
ability  and  service  levels.  Those  early  ASPs 
didn’t  have  the  right  infrastructure  to  sup¬ 
port  “multi-tenancy,”  or  lots  of  different 
customers.  But  the  new  breed  of  ASPs  in  the 
CRM  space  has  largely  mastered  the  multi¬ 
tenancy  architecture  and  service  issues. 

In  fact,  these  companies  seem  willing  to 
bend  over  backward  for  customers.  Right¬ 
Now  completely  changed  its  application  so 
that  it  could  do  what  British  Airways  needed 
with  no  effect  on  the  ASP’s  other  customers, 
which  simply  continued  to  use  RightNow’s 
standard  application.  Realizing  that  poten¬ 
tial  customers  in  other  industries  such  as 
retail  and  hospitality  would  also  want  to 
customize  FAQs  according  to  different  cus¬ 
tomer  segments,  RightNow  eventually  built 
that  functionality  into  its  product. 

British  Air  was  also  reassured  that  Right¬ 
Now  could  handle  its  daily  traffic  by  observ¬ 
ing  the  volume  the  ASP’s  other  customers 
were  putting  on  its  server.  “They  were  able 
to  show  us  hard  data  on  their  capacity,” 
Bevan  says.  “They  were  able  to  show  us 
what  they  could  do  currently  and  what  they 
were  investing  in.” 

In  addition,  RightNow  offered  British  Air 
a  free  trial  of  its  software.  But  the  true  test  of 

\nww.c\o .com  •  MAY  1,  2003  CIO  91 


Sales  and  Marketing  Automation 


whether  RightNow  could  handle  British 
Air’s  site  traffic  came  immediately  after  9/11, 
when  hundreds  of  thousands  of  users 
flocked  to  the  website  for  information. 
Bevan  says  the  airline’s  call  center  would 
never  have  been  able  to  handle  all  of  those 
inquiries.  “September  the  11th  cruelly 
demonstrated  that  this  tool  did  meet  the 


roll  out  their  ASP  applications. 

Cost  savings  can  also  be  a  red  herring. 
While  CRM  ASPs  are  considerably  less 
expensive  than  client/server-based  applications 
(ASP  customers  don’t  have  to  worry  about 
capital  expenses  associated  with  infrastruc¬ 
ture),  the  cost  does  catch  up  after  about  four 
years  because  you’re  paying  a  monthly  fee  for 


IT  staff  or  don’t  want  to  burden  their  small 
IT  staffs  with  CRM  implementations.  But 
Forrester’s  Chatham  expects  ASPs  will  soon 
be  a  popular  choice  among  Fortune  500 
companies.  “Over  time,  there’s  no  reason 
why  a  [hosted]  model  won’t  scale  to  thou¬ 
sands  of  users,”  he  says. 

ASPs  are,  in  fact,  starting  to  infiltrate  the 


Beware  the  promises  that  some  ASPs  make 

about  quick  deployments  and  speedy  ROIs. 


promises  made  by  RightNow,”  says  Bevan. 

Briggs  &  Stratton,  a  $1.5  billion  manu¬ 
facturer  of  engines  for  lawn  mowers,  motor 
boats  and  snowblowers,  has  experienced  vir¬ 
tually  no  downtime  since  it  opted  to  let 
RightNow  host  its  eService  Center  applica¬ 
tion,  according  to  Michael  Del  Valle,  the 
company’s  e-customer  support  coordinator. 
He  says  upgrades  also  proceed  fairly 
smoothly  with  the  ASP.  “You  can  schedule 
your  upgrade,  get  a  test  website,  work  with 
the  test  site  and  upgrade  in  a  matter  of 
days,”  he  says.  “The  support  from  Right¬ 
Now  is  solid  enough  that  if  you  have  a 
problem,  the  personnel  can  in  many  cases 
fix  whatever  the  problem  is.” 

Debunking  the  Hype 

In  an  effort  to  compete  with  the  large 
CRM  vendors,  ASPs  do  sometimes  make 
heady  promises  about  their  quick  and 
easy  deployments,  speedy  ROIs  and  bargain 
basement  prices.  Beware  these  sells.  Only  one 
company  that  CIO  spoke  to,  Electronics  for 
Imaging,  managed  to  roll  out  an  ASP  CRM 
application  to  100  out  of  its  125  users  in 
four  weeks.  Part  of  the  reason  the  deploy¬ 
ment  went  so  quickly  was  because  Electron¬ 
ics  for  Imaging  did  not  try  to  integrate  the 
product  with  its  SAP  back-end  systems.  If 
your  company  needs  to  do  customization  or 
integration,  you  can  count  on  a  longer 
deployment  time.  On  average,  the  compa¬ 
nies  CIO  interviewed  took  five  months  to 


the  ASP  service  for  as  long  as  you  run  it,  says 
Bob  Chatham,  principal  analyst  with  For¬ 
rester  Research.  “In  the  long  run,  the  hosted 
applications  only  have  a  25  percent  cost 
advantage  over  licensed  software,”  he  says. 

While  ASP  deployments  may  be  easier 
from  a  technical  viewpoint,  their  customers 
still  have  to  deal  with  recalcitrant  users  who 
don’t  want  to  use  these  new  tools  and 
processes.  And  ASPs  don’t  provide  much — if 
any — help  in  the  area  of  change  manage¬ 
ment.  Allied’s  Palmer  says  his  company  had 
to  come  up  with  its  own  incentives  to  get 
salespeople  to  use  the  product.  Allied,  for 
instance,  created  a  tele-prospecting  group  that 
does  all  the  time-consuming  legwork  associ¬ 
ated  with  lining  up  sales  calls,  freeing  up 
salespeople  to  make  more  calls  and  thus, 
increase  their  commissions.  But  since  only 
sales  employees  who  actively  use  SalesForce- 
.com  are  given  access  to  the  tele-prospecting 
group,  even  the  most  stodgy  salespeople  at 
Allied  have  begun  using  the  hosted  software 
just  so  they  can  have  someone  else  make  all 
the  tedious  cold  calls. 

Perhaps  because  of  the  creative  way 
Allied  got  its  employees  to  use  SalesForce- 
.com,  the  company  is  seeing  a  substantial 
return  on  its  investment.  Of  the  $180,000 
in  new  sales  his  company  generated  in  Jan¬ 
uary  2003,  Palmer  attributes  25  percent,  or 
$45,000,  to  SalesForce.com. 

The  vast  majority  of  companies  deploying 
hosted  solutions  today  are  small  and 
medium-size  businesses  that  don’t  have  an 


big  guys.  Staples,  an  $11.6  billion  office  sup¬ 
ply  retailer,  recently  deployed  Salesnet  to  its 
500  sales  employees  to  track  demand  and 
forecast  revenue. 

These  days,  the  only  other  threat  to  ASPs 
is  Microsoft,  which  released  its  CRM  prod¬ 
uct  last  January.  Greenberg  predicts  the  soft¬ 
ware  giant  will  undoubtedly  steal  a  large 
piece  of  the  CRM  pie.  “They’ve  got  the 
marketing  muscle,  the  dollars,  the  function¬ 
ality,  the  engineers,  and  the  fears  they  strike 
in  the  hearts  of  other  vendors,”  he  says. 

The  bottom  line,  Chatham  says,  is  that  if 
an  application  meets  your  needs,  you 
shouldn’t  worry  about  whether  it  is  hosted 
or  licensed.  Instead,  when  it  comes  time  to 
select  a  vendor,  consider  the  basics,  like  the 
company’s  financially  stability,  its  reputation 
and  market  position,  and  the  quality,  price 
and  potential  benefits  of  its  application. 
“The  hosted  versus  licensed  issue  is  over¬ 
played,”  Chatham  says.  “A  lot  of  the  issues 
people  throw  up  around  hosted  data  are 
really  misplaced.”  BE] 

Share  your  ASP  stories  with  Senior  Writer  Meridith 
Levinson  at  mlevinson@cio.com. 

cio  store 

Still  trying  to  get  a  handle  on  CRM?  Our  latest 

CIO  FOCUS  offering,  a  guide  to  CUSTOMER 

RELATIONSHIP  MANAGEMENT:  MAXIMIZ¬ 
ING  REWARDS,  MINIMIZING  RISKS,  is  on 

sale  now  at  www.theciostore.com . 


92  CIO  MAY  1,  2003  •  www.cio.com 


" Our  sights  are  set  on  corporate 
growth.  We  need  to  move  fast 
to  stay  competitive. 

A/ly  IT  department  can  barely  keep 
their  heads  above  water  with  the 
day  to  day  issues ,  let  alone  have 
time  to  research  new  system  options. 

I'm  willing  to  invest  in  the  education 
of  today's  technology  if  the  return 
improves  our  productivity  and 
bottom  line  results. " 


The  Information  and  Communications  Technology  (ICT) 


Conference  and  Tradeshow  -  strictly  business  to  business. 


CeBIT 

June  18  -  20,  2003 
Jacob  K.  Javits  Center 
New  York  City 


CeBIT  America's  3-day,  enterprise  only  Conference  and 
Tradeshow  provide  direct  access  to  the  world's  systems,  applications, 
communications  and  networking  leaders,  in  one  place,  at  one  time. 

If  you're  charged  with  integrating  technologies  and  applications  to 
meet  your  organization's  business  objectives,  then  we'll  see  you  at 
CeBIT  America  -  Where  the  World  Turns  for  ICT  Solutions. 

Register  Now!  Visit  www.cebit-america.com/info1  to  register  with  priority 
code  MACS  and  view  our  online  brochure,  or  give  us  a  call,  212-465-0531. 


Some  of  our  participating  partners:  Builder.com  •  Business  Council  for  the  United  Nations  •  CNET  News.com  •  Computerworid  •  Gartner  • 
Information  Technology  Association  of  America  •  MultiMeteor  •  Network  World  •  New  York  eComm  •  Novell  Best  of  BrainShare  • 
Oracle  •  Tech  Corps  •  TechRepublic  •  Wall  Street  Journal  •  Wall  Street  Technology  Association  •  ZDNet 


CIO  Role 


from 


i mm® 


Mila 


Private-sector  CIOs  are  bringing  new  levels  of  expertise  to 
government  IT.  And  public  service  teaches  CIOs  skills  that  the 
private  sector  is  finding  ever  more  essential. 


BY  TRACY  MAYOR 


9  4  CIO  MAY  1,  2003 


www.cio.com 


WANTED:  SEASONED,  EXPERIENCED  CHIEF  INFORMATION  OFFICER. 


Must  be  willing  to  work  long  hours,  endure  lengthy  public  debate  over 
day-to-day  minutiae,  answer  hostile,  intrusive  questions  from  reporters, 
build  a  senior  management  team  under  severe  financial  and  bureaucratic 
constraints.  Tenure  uncertain,  linked  to  boss’s  political  performance. 
Salary  as  much  as  70  percent  below  market  value.  No  stock  options.  No 
bonuses.  No  relocation  expenses. 


Reader  ROI 

►  Why  the  public  sector 
is  a  viable  career  path 

►  What  skills  and  quali¬ 
fications  are  required 
for  the  job 

►  How  public-sector 
skills  are  transferable 
to  the  private  sector 


Not  exactly  a  job  you’re  dying  to  nail? 
Well,  during  the  past  1 8  months  a  slew  of 
top  CIOs  from  corporate  powerhouses  such 
as  Disney  (Stuart  McKee),  EDS  (George 
Newstrom)  and  Verizon  (Thomas  Jarrett) 
have  said  yes  to  jobs  very  much  like  the  one 
described  above:  the  job  of  state  CIO. 

It’s  something  of  an  emerging  trend.  All 
over  the  country,  senior  technology  execu¬ 
tives  are  jumping  from  the  private  to  the 
public  sector.  Their  motivation,  surprisingly, 
isn’t  entirely  post-9/11  altruism  or,  con¬ 
versely,  disgust  with  corporate  financial  scan¬ 
dals.  Being  a  government  CIO,  it  turns  out, 
can  be  a  great  job,  and  it  can  be  a  great  step¬ 
ping  stone  to  the  next  job. 

Of  course,  you  won’t  get  rich.  Salaries  run 
20  percent  to  70  percent  less  than  what’s  being 
offered  in  the  private  sector.  (One  state  CIO 
now  earns  less  than  he  used  to  pay  in  taxes  at 
his  old  job.)  Instead  of  cash,  the  state  CIO 
position  offers  compensation  in  the  form  of 
power  and  authority.  State  CIOs  exercise  con¬ 
trol  over  a  broad  range  of  services,  and  they 
possess  budgets  (ranging  from  $30  million  to 
$425  million)  that  can  rival  those  of  Fortune 
50  organizations.  Plus,  they  often  have  a  sur¬ 
prisingly  free  hand  with  which  to  operate. 

“It’s  a  challenging  career  move,”  says 
Gerry  Wethington,  president  of  the  National 
Association  of  State  CIOs  (NASCIO). 
“Because  of  the  economy,  states  are  con¬ 
fronting  a  whole  new  set  of  issues,  like  busi¬ 
ness  process  efficiency,  where  the  private 


sector  has  an  opportunity  to  help.” 

And  public  service,  whether  it’s  at  the  fed¬ 
eral,  state  or  big  city  level,  teaches  CIOs  skills 
that  the  private  sector  is  finding  ever  more 
essential.  “Negotiation  skills,  appropriations, 
how  to  work  with  a  legislative  body,”  lists 
Wethington,  who  is  himself  CIO  of  Missouri. 
“Many  corporations  today  are  stymied  by 
their  ignorance  of  the  business  processes  of 
government.  If  and  when  you  go  back  to  the 
private  sector,  you’ll  have  a  better  understand¬ 
ing  of  how  to  work  with  government.”  For¬ 
mer  Washington  state  CIO  Steve  Kolodney, 
long  considered  a  superstar  in  government  IT, 
is  now  vice  president  of  digital  government  ini¬ 
tiatives  for  American  Management  Systems,  a 
Fairfax,  Va.,  IT  consultancy. 

IS  THE  PUBLIC  SECTOR 

RIGHT  FOR  YOU? 

When  states  go  looking  for  CIOs,  they  look 
for  people  with  highly  developed  communi¬ 
cation  skills — managers  who  can  explain  tech¬ 
nology  to  everyone  from  suspicious  taxpayers 
to  skeptical  legislators,  says  Dick  Bennett, 
principal  at  Bennett  Associates,  a  Norwell, 
Mass.,  civic  recruiter  who  recently  helped  the 
state  of  Washington  fill  its  vacant  CIO  post. 

State  CIOs  must  be  able  to  pull  together 
massive,  far-flung  and  often  poorly  inte¬ 
grated  operations  and  must  be  adept  at  serv¬ 
ing  multiple  constituencies.  And  candidates 
for  state  CIO  have  to  be  goal-oriented:  term 
limits,  or  the  voters,  often  dictate  a  short  job 


www.  cio.  com 


•  MAY  1,  2003  CIO  95 


CIO  Role 


tenure  in  which  to  effect  change. 

Must  the  ideal  candidate  be  political  as 
well?  Not  necessarily.  While  all  but  one  of  the 
state  CIOs  we  profile  knew  their  governor  in 
some  capacity  before  their  appointment, 
NASCIO’s  Wethington  insists  the  job  isn’t  so 
much  about  Politics  with  a  big  “P”  as  it  is 
about  little  “p”  politics,  although  he  admits  it 
“helps  if  you’re  known  to  the  existing  IT  com¬ 
munity  in  the  state,  particularly  if  your  com¬ 
pany  has  been  in  a  good  private-public 
relationship  with  the  state  government.” 

But  big  “P”  politics  does,  in  fact,  play  a 
big  part  in  the  job.  In  the  six  weeks  it  took  us 
to  report  this  story,  two  of  our  potential  pro- 
filees  fell  by  the  wayside.  Utah  CIO  Phillip 
Windley  resigned  under  pressure  in  Decem¬ 
ber,  unable  to  weather  a  storm  of  accusations 
over  what  a  legislative  report  deemed  were 
unfair  hiring  practices.  (Windley,  a  former 
vice  president  at  Excite@Home,  had  hired 
several  other  Excite  employees  at  higher-than- 
average  starting  salaries  and  had  apparently 
bypassed  competitive-practices  structures  to 
do  so.)  And  in  November,  Judith  Teller,  New 
Jersey  CIO  and  newly  appointed  secretary 
and  treasurer  of  NASCIO,  quietly  tendered 
her  resignation  to  Gov.  James  McGreevey, 
telling  CIO  only  that,  “Due  to  budget  and 
other  concerns,  it  became  clear  the  adminis¬ 
tration  wasn’t  going  to  focus  on  technology 
as  a  strategic  enterprise  asset.” 

Windley’s  crash  is  at  least  partly  about  liv¬ 
ing  in  a  fishbowl;  Teller’s  is  partly  about  per¬ 
vasive  budget  crises  that  are  reaching  levels 
last  seen  during  the  Great  Depression.  Both 
cases  highlight  the  fact  that  in  politics,  the 
CIO  job  is  intimately  tied  to  the  successes 
and  failures  of  the  boss,  be  it  the  governor, 
the  mayor  or  the  president.  (When  Teller 
resigned,  New  Jersey  Gov.  McGreevey’s 
approval  rating  had  fallen  to  37  percent.)  IT 
is  often  a  difficult  sell — inside  government  or 
out — and  when  times  get  tough,  the  CIO  can 
suddenly  find  himself  like  Harry  Potter,  living 
under  the  administration’s  stairs.  As  one  CIO 
says,  “If  your  governor  isn’t  willing  or  able  to 
expend  political  capital  to  gain  support  for 
enterprise  technology  projects,  you  have  to 
ask  yourself  what  you’re  doing  there.”  Or, 


Washington  CIO  Stuart  McKee  advises  against  working  in  state  government  “if  you’re 
motivated  just  by  money.” 


in  cases  like  Windley’s,  the  governor  could 
wind  up  asking  that  question  of  you. 

Why  jump  into  such  a  snake  pit?  If  it’s  not 
|  about  the  money,  and  if  the  future’s  uncer¬ 
tain,  what’s  the  allure  of  public  service?  Every 
CIO  we  interviewed  says  a  heartfelt  belief  in 
the  responsibilities  of  citizenship  is  an 
absolute  prerequisite  for  taking  on  the  job. 

“The  position  requires  a  fundamental 
belief  in  the  idea  of  stewardship,”  says  Brian 
Wolf,  CIO  for  the  state  of  Montana.  “If 
that’s  not  part  of  your  thought  process,  this 
is  not  a  job  for  you.” 


WASHINGTON 


STUART  McKEE 

Director  of  Washington  State  Depart¬ 
ment  of  Information  Services  and  CIO 

Age:  36 

Salary:  $133,000 

Previous  job:  Vice  president  of  global  Inter¬ 
net  operations  at  Disney 
Took  the  job  in  April  2002  because:  McKee 
was  wowed  by  the  state’s  reputation  as  an 
IT  leader  (he  filled  the  post  vacated  by  CIO 
superstar  Steve  Kolodney). 


Technology  challenge:  Changing  outdated 
business  processes  (and  convincing  people 
to  change  along  with  them). 

Management  challenge:  Fulfilling  Gov.  Gary 
Locke’s  directive  that  the  state’s  IT  services 
be  run  as  a  discretionary,  competitive  busi¬ 
ness  unit  within  government.  “Government 
agencies  and  nonprofits  buy  services  from 
us  if  they  want  to.  We  have  a  rate  schedule; 
we  aggregate  demand;  we  have  to  prove 
we’re  providing  the  best  value.  It’s  absolutely 
refreshing,  and  it  makes  sense  for  the  pri¬ 
vate  sector  as  well.” 

On  the  pay  cut:  “This  is  a  job  where  your 
compensation  is  a  matter  of  public  record. 
You  can  still  be  ambitious  and  work  in  state 
government  but  not  if  you’re  motivated  just 
by  money.” 

His  future:  Stay  on  as  long  as  Locke  is  in 
office,  or  even  longer  if  the  new  administra¬ 
tion  wants  him  to.  Beyond  that,  McKee  is 
convinced  he  could  take  his  experience  with 
Washington’s  competitive  IT  services  model 
and  sell  it  to  the  private  sector.  “I  love  the  idea 
of  taking  what  we  do  here  and  bringing  that 
back  to  private  enterprise.  I  see  this  position  as 
an  amazing  career  and  growth  opportunity.” 


96  CIO  MAY  1,  2003  •  www.cio.com 


PHOTO  BY  KAREN  MOSCOWITZ 


Sony  AIT  data  storage  solutions  help  companies 
of  any  size  automate  tape  backups,  delivering  real 
ROI  through  IT  time  savings. 


Government  regulators  are  requiring  organizations  from 
financial  to  health  care  to  keep  copious  long-term 
records.  Disaster  recovery  and  business  continuity 
requirements  are  more  stringent  than  ever,  as  organiza¬ 
tions  try  to  prepare  for  the  worst.  And  all  the  while,  IT 
organizations  are  stretched  to  the  limit,  struggling  to 
meet  these  basic  day-to-day  demands. 

Clearly,  it  is  imperative  for  any  organization  to  routinely 
back  up  valuable  data,  but  it's  not  imperative  that  they 
spend  an  inordinate  number  of  IT  hours  doing  it.  Let's  say 
it  takes  a  single  IT  administrator  1 5  minutes  to  load,  unload 
and  check  a  backup  tape,  and  that  person  has  to  deal  with 
just  two  tapes  each  day.  That's  at  least  1 0  hours  of  IT  time 
per  month  spent  juggling  tapes — hours  that  could  be  ded¬ 
icated  to  more  strategic  endeavors. 

Automated  tape  systems  can  get  organizations  off  the 
backup  treadmill.  Such  systems  allow  you  to  consolidate 
multiple  drives  into  one  solution 
that  can  be  loaded  with  enough 
tapes  to  handle  backups  for  days 
or  weeks.  All  the  required  back¬ 
ups  and  tape  rotations  are  han¬ 
dled  on  a  predefined  schedule, 
without  human  intervention. 

Once  a  luxury  for  only  large 
organizations  with  big  budgets 
and  large  IT  departments,  auto¬ 
mated  tape  storage  solutions 
such  as  those  in  the  Sony 
Advanced  Intelligent  Tape™  (AIT) 
automation  family  are  now  cost- 
effective  solutions  for  small  and 
midsize  organizations.  Indeed,  the  fastest  growing  seg¬ 
ment  in  the  tape  automation  market  is  for  systems  with  20 
cartridges  or  less.  Even  small  companies,  workgroups  or 
departments  with  individual  Digital  Data  Storage®  (DDS) 
tape  backup  systems  can  gain  significant  business  bene¬ 
fits.  Larger  organizations  can  leverage  the  performance, 
capacity  and  reliability  of  a  Sony  AIT  library  to  enable  up 
to  30  days  of  unattended  backup,  boosting  cartridge  uti¬ 
lization  and  simplifying  management. 

Traditionally,  many  organizations  use  individual  tape 
drives  to  back  up  critical  servers,  adding  additional  drives 
as  demand  dictates.  Consequently,  these  tape  drives  are 
often  deployed  in  a  decentralized  fashion,  requiring  that 
someone  physically  load  fresh  tapes  into  each  drive  daily 
or  weekly,  and  to  verify  that  backups  complete  successful¬ 
ly.  With  data  volume  doubling  or  tripling  every  year  or  two, 
it  is  difficult  to  keep  up  as  the  number  of  cartridges  grows. 
Before  long,  multiple  administrators  are  collectively  spend¬ 
ing  an  inordinate  amount  of  time  swapping  tapes  and 
attending  to  other  mundane  chores.  This  is  particularly  bur¬ 


densome  in  systems  with  limited  tape  cartridge  capacity. 

While  such  organizations  clearly  need  an  automated 
tape  solution,  even  those  with  only  one  tape  drive  can 
benefit.  Single-drive  tape  autoloaders  and  multiple-drive 
tape  libraries  are  integrated  solutions  that  have  space  for 
anywhere  from  eight  to  hundreds  or  even  thousands  of 
tapes,  along  with  a  mechanism  to  automatically  replace 
or  rotate  the  tapes  on  a  preset  schedule. 

When  using  an  automated  solution,  an  administrator 
loads  the  tape  drives  with  the  appropriate  tapes  and  uses 
backup  software  to  specify  when  tapes  should  be  switched, 
what  files  should  be  backed  up  and  how  often.  Most  sys¬ 
tems  notify  the  administrator  if  something  is  wrong,  such  as 
if  a  tape  runs  out  of  space.  Otherwise,  the  administrator 
simply  needs  to  check  the  unit  at  the  end  of  the  cycle,  be  it 
seven  days  or  30,  and  load  new  tapes.  Consider  the  time 
savings  compared  with  manually  configuring  the  backup 


each  day,  swapping  tapes  and  making  sure  each  backup  is 
complete.  Then,  consider  that  the  time  savings  and 
increase  in  reliability  are  even  more  dramatic  when  it 
comes  to  retrieving  data,  when  time  is  even  more  critical. 

Sony  AIT 

Sony's  AIT  tape  drives  and  libraries  were  designed  from 
the  ground  up  for  automation,  with  a  range  of  models  that 
allow  organizations  to  centralize  their  backups  and 
upgrade  existing  library  capacity.  For  example,  Sony's 
LIB81 ,  the  first  1 U  autoloader  in  the  industry,  has  one  tape 
drive  and  capacity  for  eight  cartridges.  The  flexible  range 
of  capacities  supplied  by  Sony  AIT-1 ,  AIT-2  and  AIT-3  tapes 
offer  enough  for  a  week's  worth  of  backups,  with  room  to 
spare  for  a  head  cleaning  cartridge  or  a  copy  of  a  previous 
week's  or  month's  backup  tape.  Sony’s  LIB162  is  a  larger 
unit  with  space  for  two  tape  drives  and  up  to  1 6  individual 
tapes,  all  within  a  2U  rack-mountable  design  that  can  fit  in 
a  limited  space.  Its  storage  capacity  of  0.8  terabytes  (TB) 
native  and  2.08TB  compressed  puts  it  among  the  leaders  in 


terms  of  storage  density  per  cubic  foot. 

In  addition  to  rack-mountable  storage  systems,  Sony 
has  desk-side  tape  libraries  that  allow  users  to  load  up  to 
15  cartridges  in  a  single  removable  magazine.  This  pro¬ 
vides  enough  capacity  for  two  weeks  worth  of  tapes. 
Sony  also  offers  30-cartridge  units  that  can  provide  up  to 
one  month  or  more  of  hands-free  backups. 

All  of  Sony's  automated  tape  libraries  include  a  number 
of  important  capabilities  and  characteristics,  including: 

•  Remote  administration:  Sony's  tape  libraries  all 
have  the  capability  to  be  controlled  and  monitored  from  a 
remote  location. 

•  High  reliability:  Sony  AIT-3  drives  are  rated  at  up  to 
400,000  hours  mean  time  between  failure  (MTBF)  at 
1 00%  duty  cycle — far  exceeding  most  other  types  of  tra¬ 
ditional  backup  drives. 

•  Fast  file  access:  Sony  drives  were  the  first  in  the 
industry  to  include  the  Memory  in  Cassette  (MIC)  feature, 
which  provides  B4K-bit  flash  memory  within  the  tape  car¬ 
tridge  to  index  information  and  the  location  of  data  on  the 
tape.  The  feature  speeds  data  access  and  retrieval,  mak¬ 
ing  AIT  one  of  the  fastest  tape  formats  in  terms  of  data 

retrieval. 

•  Future  growth  path: 

Currently  in  its  third  generation, 
AIT  has  a  defined  and  proven 
roadmap  that  has  seen  perform¬ 
ance  and  capacity  double  with 
each  new  generation.  In  addi¬ 
tion,  all  three  generations  of  AIT 
drives  available  today  are  both 
read  and  write  backward-com¬ 
patible. 

•  Industry  support:  AIT 

drives  work  with  all  major  oper¬ 
ating  systems,  including 
Windows,  Linux  and  Unix,  as 
well  as  with  the  majority  of  backup  software  packages, 
including  Computer  Associates'  CA  BrightStor  ARCserve, 
Veritas  Software's  Veritas  Backup  Exec  and  NetBackup, 
Legato  Systems'  NetWorker  and  IBM's  Tivoli  Storage 
Manager. 

Sony's  AIT  automated  tape  backup  solutions  are  also 
ideally  suited  to  address  the  growing  need  for  networked 
backup.  Rather  than  installing  and  managing  dedicated 
tape  drives  or  libraries  near  each  server,  an  organization 
can  consolidate  all  storage  functions  and  back  up  data 
from  various  servers  across  the  network,  further  reducing 
deployment  complexity  and  improving  IT  productivity. 

Whatever  the  configuration,  high-speed,  high-capacity 
AIT  tape  systems  can  reduce  the  pressure  on  your  back¬ 
up  window  by  cutting  down  on  the  time  it  takes  to  com¬ 
plete  a  backup  or  restore.  Automating  your  daily  or  week¬ 
ly  backups  provides  even  more  benefits — more  reliable 
backups  performed  without  manual  intervention,  freeing 
up  valuable  IT  hours  that  can  be  spent  on  projects  that 
contribute  to  the  bottom  line. 


Progression 


Automation 


Single/dual  drive  library  or  autoloader 


•  One  or  more  drives,  many  tapes 

•  Excessive  manual  effort 


Benefits: 

•  Higher  capacity  and  performance 

•  Hands-off,  unattended  backup 


Learn  More  About  Download  the  free  white  paper,  "Doing  More  Through  Automation," 

^  Cj\h ifiAnc  and  learn  more  about  Sony  storage  solutions. 

wOliy  M\u  wOlUUOVlS*  Visit  www.nwfusion.com/sony/AUTOCIOI 


CIO  Role 


Take-away:  “I  didn’t  anticipate  my  enthusi¬ 
asm  for  public  life.  Public  service  ‘sharehold¬ 
ers’  are  everywhere,  and  they  care.  This  is  an 
enormous,  enormous  IT  services  operation, 
and  people’s  lives  depend  on  what  we  do.” 


VIRGINIA 


GEORGE  NEWSTROM 

Secretary  of  Technology 
Age:  56 

Salary:  $128,000 

Previous  job:  Corporate  senior  vice  presi¬ 
dent  and  president  of  EDS  Asia 
Took  the  job  in  March  2002  because:  “I’d 
been  in  the  private  sector  for  28  years.  I  was 
getting  ready  to  retire,  and  I  wasn’t  inter¬ 
ested  in  a  government  job.  But  I  met  with 
[Gov.  Mark  Warner],  and  we  talked  about 
the  job,  and  I  said,  I  like  what  he  stands  for. 
I  think  I  can  contribute.” 

Technology  challenge:  Using  technology  to 
make  government  more  efficient  and  effec¬ 
tive  with  an  ever-shrinking  pool  of  resources. 


Virginia  Secretary  of  Technology  George 
Newstrom  (left)  believes  that  what  one 
learns  serving  in  the  public  sector  would 
make  anyone  ‘‘a  better  executive  in  the 
long  run.”  Montana  CIO  Brian  Wolf 
(above)  says,  “I’m  working  longer  and 
harder  than  I  ever  have." 


“Downsizing  is  the  same  for  government  as 
it  is  for  private  industry.  We’re  literally  going 
through  the  same  drill,  and  it’s  tough.” 
Management  challenge:  Moving  quickly.  By 
law,  the  governor  of  Virginia  is  limited  to 
one  four-year  term,  which  gives  the  admin¬ 
istration  very  little  time  to  implement  long¬ 
term  change.  “It  requires  very  quick  action. 
We  have  to  have  a  direct  impact  in  18 
months.  If  our  plans  aren’t  implemented  in, 
say,  18  to  24  months,  we’ve  probably  lost 
our  window  of  opportunity.” 

On  the  pay  cut:  “I  take  dollars  out  of  my 
wallet  every  day  to  pay  for  this  job.  It’s  not 
a  position  you  take  for  the  stock  options  or 
bonuses.” 

His  future:  Retirement. 

Take-away:  “It  would  behoove  anyone  to 
take  a  public  position,  the  way  executives 
take  on  an  overseas  assignment.  The  wheels 
of  change  may  turn  at  a  different  pace,  but 
having  a  working  understanding  of  that 
process  will  make  you  a  better  executive  in 
the  long  run.” 


MONTANA 


BRIAN  WOLF 

CIO 

Age:  40 

Salary:  $105,000 

Previous  job:  Manager  of  telecommunica¬ 
tions  and  technology  transfer  at  Basin  Elec¬ 
tric  Power  Co-op,  Bismark,  N.D. 

Took  the  job  in  September  2001  because: 
After  19  years  with  the  same  company, 
Wolf  welcomed  the  chance  to  be  Montana’s 
first  CIO.  Plus,  he  has  a  soft  spot  for  Mon¬ 
tana;  and  at  midcareer,  he  was  feeling  the 
need  to  contribute  to  public  good  in  some 
manner.  So  when  Montana  announced  the 
job,  Wolf  applied. 

Technology  challenge:  Evaluating  several 
large,  troubled  IT  projects  to  determine 
whether  they’re  salvageable.  And  building  a 
process  architecture  to  strengthen  the  state’s 
project  management  methodology  to  ensure 
that  mistakes  won’t  be  repeated. 
Management  challenge:  Moving  the  state’s 
IT  organization  from  a  siloed  environment 
to  an  enterprise  perspective.  “There’s  a  lot  of 
historical  culture  to  deal  with,  a  lot  of  trust 
that  needs  to  be  built.” 

On  the  pay  cut:  “You  don’t  come  to  these 
positions  for  the  money.  I’m  working  longer 
and  harder  than  I  ever  have.  You  have  to 
have  a  fundamental  sense  of  stewardship  for 
the  taxpayers  of  the  state.” 

His  future:  Gov.  Judy  Martz’s  term  ends 
December  2004,  and  she  hasn’t  yet  an¬ 
nounced  if  she’s  running  again,  but  because 
Wolf  does  not  report  directly  to  the  governor 
it’s  possible  he  could  stay  on  under  a  new 
administration.  If  and  when  he’s  ready  to 
return  to  the  private  sector;  “the  skill  sets  I’m 
using  here  are  absolutely  transferable  to  the 
private  sector  or  another  government  job.” 
Take-away:  “It’s  a  wonderful  feeling  when 
you  deploy  true  efficiency  and  effectiveness 
that  touches  the  taxpayer.  And  the  research, 

cio.com  Thinking  about  a  career 
move?  Check  out  CIO's  JOB  LISTINGS  at 
jobs.cio.com.  Get  advice  from  the  CAREER 
COUNSELOR  at  www.cio.com/executive. 


98  CIO  MAY  1,  2003  •  www.cio.com 


PHOTO  LEFT  BY  RON  HOLTZ;  RIGHT  BY  RICK  BUSH 


It's  OK  to  show  off  to  your 
friends  that  you  were  in  CIO. 


But  it's  even  better  to 
show  your  customers. 


What  better  way  to  inform  your  key  cus¬ 
tomers  of  your  editorial  coverage  in  CIO 
than  through  customized  Editorial 
Reprints? 

Leverage  the  positive  impact  of 
your  editorial  coverage  by  using 
reprints  for  direct  mail  campaigns,  seminar 
promotions,  employee  communications,  recruiting 


and  marketing  programs.  Let  us  enhance 
your  reprints  with  your  company's  logo, 
address,  and  sales  message.  Reprints 
make  great  SALES  tools  for  trade  shows, 
mailings  or  media  kits. 

And  while  a  framed  copy  of  your  article 
will  look  neat  on  your  wall,  it  will  look  even 
better  in  the  hands  of  your  customers. 


For  more  information  on  customized  editorial  reprints  in  volume  quantities,  contact  Chad  Johnston  at  651-582-3817 
or  cwjohnston@reprintservices.com  or  visit  our  website  at  cio.com/marketing  and  click  on  reprints. 


'if#*: 


We  just  migrated  to 

Dell  servers  running  a 

standards-based  solution 

and  now  were  getting  We're...uh,  still 

significantly  better  running  a  proprietary, 

price/performance."  UNIX- based  system.  Right. 


Translation: 


Translation: 


Translation: 


We're  hemorrhaging  cash 


We're  saving  a  boatload 


industry-standard  technology 
such  as  Intel *  Xeon v  processors. 


Dell  |  Enterprise 

In  a  recent  Dell  test,  running  Oracle®  9/  on  a  Dell  server  solution  had  anywhere  from  a  3x  to  8x 
price/performance  advantage  over  Sun!  Whether  using  an  Intel®  Xeon”  processor-based  4P  PowerEdge” 
6650  or  2P  PowerEdge  2650,  the  Dell  solution  was  faster  and  less  expensive  than  a  Sun  Fire  V480  solution. 
To  see  complete  test  results,  go  to  www.dell.com/migration11. 

There's  little,  if  any,  debate:  Migrating  from  UNIX  to  a  standards-based  solution  lowers  TCO.  The  real 
questions  are  "How  does  it  perform?"  "How  much  will  it  lower  TCO?"  and  "Who  do  we  turn  to?"  Well,  when 
you  migrate  to  open  standards,  remember  this:  Dell  gives  you  both  mind-bending  performance  and 
unparalleled  expertise,  at  a  TCO  so  small  you’ll  need  a  microscope  to  find  it.  And  the  entire  solution  is 
backed  by  enterprise  level,  24/7  service  and  support. 

The  migration  is  on.  Find  out  how  you  can  make  the  most  of  it  for  your  organization.  Call  1-877-439- DELL, 
or  go  to  the  Dell  UNIX  Migration  online  calculator  at  www.dell.com/migration11  to  see  how  a  Dell  solution 
can  lower  your  migration  costs  and  help  simplify  the  transition. 


Get  more  out  of  your  enterprise  for  less.  Easy  as 


DOLL 


Click  www.dell.com/migration11  Call  1-877-439-DELL 

toll  free 

Tests  by  Dell  in  January  2003  on  baseball  database.  Dell  configurations:  Dell  PowerEdge  6650  server  with  four  2.0  GHz  Xeon  MP  processors,  Red  Hat  Linux  Advanced  Server  2.1.  3  Year  Gold  Support.  Price:  $32,701  (www.dell.com,  1/20/03) 
and  Dell  PowerEdge  2650  server  with  two  2.8  GHz  Xeon  DP  processors,  4GB  memory,  Windows  2000  Server,  3  Year  Gold  Support.  Price:  $9,324  (www.dell.com,  2/10/03).  Sun  configuration:  Sun  Fire  V480  server  with  four  900  MHz  UltraSPARC 
III  processors,  Solaris  9  (12/02  version).  Price:  $53,796  (www.sun.com,  3/17/03),  3  Year  Gold  Support.  For  details  and  results,  see:  www.dell.com/migration. 

Intel,  the  Intel  logo  and  Xeon  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  Dell,  the  Dell  logo  and  PowerEdge  are  registered  trademarks  of  the  Dell  Computer 
Corporation.  ©2003  Dell  Computer  Corporation.  All  rights  reserved. 


PHOTO  BY  RON  HOLTZ 


CIO  Role 


KliiSS 


Visit  www.dell.com/migration11  and  go  to 
the  Deli  UNIX  Migration  online  calculator  for 
a  free  migration  assessment.  A  Dell  UNIX 


migration  solution  comes  complete  with 


performance  management  and  best  practices 
that  come  out  of  government  models  are 
invaluable.  Wherever  I  go  next,  I  will  be  a 
much  better  manager  because  of  what  I’ve 
been  exposed  to  here.” 


DELAWARE 


THOMAS  JARRETT 

Secretary  of  the  Department  of  Tech¬ 
nology  and  Information  and  CIO 

Age:  51 

Salary:  $133,660 

Previous  job:  Worked  at  Verizon  in  Delaware 
for  30  years,  holding  the  position  of  director 
of  government,  education  and  philanthropy 
affairs  for  the  last  six  years. 

Took  the  job  in  September  2001  because: 
Intrigued  by  challenge  and  opportunity.  Gov. 
Ruth  Ann  Minner,  with  whom  Jarrett  had 
developed  a  working  relationship  while  he 
was  in  Verizon’s  office  for  government 
affairs,  won  legislative  approval  in  May 
2001  to  create  a  new  IS  organization  that 
would  be  outside  the  civil  service  system.  In 
August  2001,  Minner  asked  Jarrett  if  he’d 
be  interested  in  the  new  cabinet-level  CIO 
position.  Jarrett  said  yes.  “I  had  a  chance  to 
come  in  and  handpick  and  hire  an  entire 


organization  with  a  new  market-based  com¬ 
pensation  plan  and  run  it  like  a  business.” 
Technology  challenge:  Maintaining  critical 
systems  and  making  data  center  upgrades 
while  simultaneously  building  a  new  organ¬ 
ization.  And  developing  standards  that  pro¬ 
vide  the  highest  level  of  customer  service  at 
the  lowest  possible  cost. 

Management  challenge:  “The  budgeting 
process  is  very,  very  different  from  the  pri¬ 
vate  sector.  It’s  been  a  learning  process  to  go 
through  the  hearings,  testify  before  the  gen¬ 
eral  assembly,  and  figure  out  the  differences 
between  state  funding  and  federal  funding, 
and  special  funding  versus  general  funding.” 
On  the  pay  cut:  “You  don’t  come  to  these 
positions  for  the  money.” 

His  future:  Fulfill  his  commitment  to  his  gov¬ 
ernor,  including  a  possible  second  term,  then 
perhaps  retire. 

Take-away:  “This  is  a  great  opportunity  to 
hone  your  communication  skills.  You’re  not 
just  talking  to  people  in  your  company  all 
day.  It’s  the  legislature,  your  peers  in  state 
government,  agency  heads,  the  press,  citi¬ 
zens — a  very  diverse  group  of  people.”  HE! 


Tracy  Mayor  is  a  freelance  writer  who  covers  tech¬ 
nology  for  CIO.  Send  comments  to  letters@cio.com. 


end-to-end  Fast  Track  Migration  services 
covering  applications  such  as  Oracle,  C/C++, 
Sybase  to  SQL  Server,  Java  and  a  full  range 
of  Web  applications. 


Call  1-877-439-DELL  today  to  speak  with  a  Dell 
representative.  Together,  you  can  assess 
your  individual  needs  and  then  develop  a 
cost-effective  plan  for  UNIX  migration. 


Easy  as 


WAX 


Call  1-877-439-DELL 

toll  free 

Click  www.dell.com/migration11 


www.cio.com  •  MAY  1,  2003  CIO  101 


HIRING 


FIRING 


INSPIRING 


Hot 
Seat 


Inside 

MANAGEMENT 
REPORTS  I  105 

Working  with  CXOs: 
How  to  lead  as  a  team 


LEADERSHIP  AGENDA  I  106 

By  Susan  H.  Cramm 

An  All-Around  Waste  of  Time: 
Full-circle  or  360-degree 
feedback  assessments  must 
meet  three  conditions  to  be 
useful 

Reader  Q&A 


How  comfortable  do  you 
find  the  hot  seat?  E-mail 
Leadership  and  Management 
Editor  Edward  Prewitt  at 
hotseaWcio.com. 


Walk  the  Alignment  Tightrope 

CIOs  need  a  light  touch  to  set  business  managers’  expectations 
about  IT  projects — and  still  appear  helpful 

BY  MERIDITH  LEVINSON 


At  Hon  Industries,  a  furniture  and  hearth 
manufacturer  based  smack  in  the  middle 
of  America — Muscatine,  Iowa — Malcolm 
Fields  walks  a  fine  line  when  setting 
expectations  with  his  business  colleagues 
on  what  IT  projects  can  accomplish.  For 
Fields,  vice  president  and  CIO  of  the 
$1.7  billion  company,  that  balancing  act 
means  showing  them  the  challenges  of 
implementing  new  technology  without 
coming  off  as  a  naysayer  or  know-it-all. 

The  41 -year-old  executive  continually 
works  to  set,  reset  and  communicate 
expectations  on  the  length  and  cost  of  an 
IT'  project,  the  challenges  that  might  arise 
during  its  course,  and  the  new  technology’s 
true  functionality.  Not  doing  so  can  lead  to 
project  failures,  wasted  resources,  addi¬ 
tional  costs,  lost  opportunities  and  a  loss  of 
respect.  “If  you  waste  a  half-million  bucks 
[on  a  failed  implementation],  you  have  to 
take  a  one-time  hit  to  your  [financial] 
reporting,  and  that’s  ugly,”  says  Fields. 
“You  lose  credibility  with  the  street.” 

Botched  projects  damage  reputations 
and  can  ultimately  damage  careers.  “CIOs 
are  terminated  not  because  they’re  not 
strategic  but  because  they  don’t  deliver,” 
says  Louis  Boyle,  vice  president  of  the 
Executive  Directions  group  at  Meta 
Group.  “Job  number  one  is  to  deliver,  and 
that  means  delivering  on  expectations.” 

Setting  user  expectations — neither 
promising  too  much  nor  offering  too 
little — is  one  of  the  trickiest  aspects  of 
the  CIO’s  job,  Boyle  says.  Those  who  do 
make  the  effort  to  communicate  expec¬ 
tations  risk  appearing  arrogant  or  diffi¬ 
cult  to  work  with,  particularly  if  the  users 
view  the  advice  as  the  CIO’s  intransi¬ 
gence  to  give  users  what  they  want. 


Fields  warns  that  “if  you  sound  negative 
and  if  what  [users]  hear  from  you  is  ‘He’s 
too  busy,  he  doesn’t  want  to  deal  with 
this  problem,’  they’re  going  to  do  it  any¬ 
way” — by  purchasing  software  they’ve 
read  about,  for  example,  regardless  of 
whether  it’s  the  best  solution. 


Hon  Industries  CIO  Malcolm  Fields  set  exec¬ 
utive  expectations  for  CRM  by  explaining 
the  causes  of  its  high  failure  rate. 

Helping  users  understand  what  they’re 
getting  into  and  then  helping  them  succeed 
at  it  is  of  paramount  importance.  At  the 
same  time,  the  Kansas-born,  Iowa-bred 
Fields  doesn’t  want  to  seem  too  big  for  his 
britches.  So  when  he  caught  wind  of  a 
business  VP’s  interest  in  CRM,  Fields 
knew  he  had  to  act  fast  and  act  with  class. 

Time  for  the  Full-Court  Press 

Sitting  in  strategic-planning  meetings 
where  corporate  executives  discussed 


102  CIO  MAY  1,  2003  •  www.cio.com 


Full  Duplex  Speaker  Phone 
Internal  Managed  Switch 
Power  Over  Ethernet 
4  Call  Appearances 
Built-in  Calculator 
4  Ethernet  Ports 
Address  Book 


All  in  one. 


ZIP4x4 


world's  most  functional  IP  phone. 


The  ZIP  4x4  integrates  the  functions  of  a  managed  switch  with 
a  business  phone,  and  adds  an  address  book,  a  calculator,  and  a 
speaker  phone. 


The  ZIP 4x4  is  100%  based  on  open  standards.  It  is 
compatible  with  any  IP  phone  system  using  SIP  The  phone 
can  be  powered  from  an  ac  adapter  or  receive  power  over  the 
Ethernet  connection. 


laptop 


ZIP  4x4 


computer 


other  accessory 


All  Ethernet  ports  can  switch  traffic  at  wire  speed.  Therefore, 
only  a  single  circuit  needs  to  be  taken  to  the  desktop,  to 
provide  both  voice  and  data  communications. 

The  phone  has  multiple  buttons,  multiple  LEDs,  and  an  LCD 
that  tilts.  End  users  can  access  all  standard  features  without 
plowing  through  menus  or  a  frustrating  quagmire  of  soft  keys. 

To  learn  how  the  ZIP  4x4  can  be  rapidly  deployed,  simplify 
your  desktop,  and  enhance  productivity,  call  us  or  access  our 
web  site. 


Zultys  Technologies 

771  Vaqueros  Avenue 


ZULTYS 


Zultys  Technologies,  the  Zultys  logo,  the  Zultys  mark,  and  ZIP4x4  are  trademarks  of  Zultys  Technologies.  All  other  ✓  ✓  •  . 

trademarks  used  herein  are  the  property  of  their  respective  owners.  ©2003  Zultys  Technologies.  All  rights  reserved.  http://CIO.Zip4x4.COm 


Sunnyvale,  CA  94085 
USA 

Tel: +1-408-328-0450 
Fax:+1-408-328-0451 
Email:  zultys@zultys.com 


Hot 

Seat 


their  technology  needs, 
Fields  knew  the  day 
would  come  when  his 
colleagues  in  sales 
would  ask  for  a  cus¬ 
tomer  relationship 
management  system — and  he  dreaded  it. 
“Consultants  will  tell  you  50  percent  of 
CRM  projects  fail.  I’d  say  it’s  75  per¬ 
cent,”  says  Fields. 

In  March  2002,  Kevin  Jordan,  vice 
president  of  corporate  accounts  for  All- 
steel,  one  of  Hon  Industries’  furniture 
manufacturing  businesses,  went  to  the  IT 
department  with  a  proposal.  He  told 
Ralph  See,  an  IT  project  manager  with 
whom  Jordan  had  a  working  relation¬ 
ship,  that  he  could  improve  the  efficiency 
of  his  field  sales  employees  if  they  had 
more  tools  to  communicate  with  each 
other  and  with  corporate  headquarters. 
He  wanted  IT’s  help  in  looking  for  a  solu¬ 
tion  that  would  integrate  with  the  rest  of 
the  company’s  business  systems.  Jordan 
was  obviously  under  the  impression  that 
finding  and  implementing  a  comprehen¬ 
sive,  off-the-shelf  contact  management 
system  would  be  simple. 

Within  a  few  days,  Fields  heard  about 
their  meeting  and  decided  he  better  get 
involved.  He  knew  he  needed  to  make 
Jordan  understand  what  it  takes  to  suc¬ 
cessfully  pull  off  a  CRM  project. 

First,  Fields  needed  to  show  Jordan  the 
reasons  behind  CRM’s  high  failure  rate: 
The  scope  of  these  projects  easily  and  fre¬ 
quently  explodes;  the  products,  with  their 
bells  and  whistles,  are  too  complicated 
and  difficult  for  field  salespeople  to  use; 
and  the  logistics  of  getting  software 
installed  and  synchronized  on  every  field 
sales  employees’  laptop  is  too  complex. 

Fields  and  See  began  by  giving  Jordan 


cio.com  To  read  more  on  MANAG¬ 
ING  EXPECTATIONS  and  for  a  different 
take  on  360-DEGREE  FEEDBACK,  go  to 

www.cio.com/printlinks. 


copies  of  articles  about  CRM  projects  so 
that  he  could  read  for  himself  the  diffi¬ 
culties  companies  face  when  implement¬ 
ing  such  systems.  They  also  attended 
meetings  that  Jordan  set  up  with  vendors. 

“I  went  to  every  meeting  until  I  saw  in 
Kevin  Jordan’s  eyes  how  damn  hard  this 
was  going  to  be,”  says  Fields.  Every  time 
the  software  salesmen  began  crowing 
about  their  products’  special  features, 


cally  fail,’  I  basically  asked  each  vendor 
what  their  success  rate  was,”  says  Fields. 
This  way,  Fields  says,  he  didn’t  have  to 
worry  about  insulting  Jordan’s  intelligence 
or  appearing  negative  or  confrontational. 

Jordan  was  able  to  ask  informed, 
pointed  questions  because  he  had  read 
the  articles  provided  by  Fields.  With  ven¬ 
dors’  sobering  pronouncements  about 
their  success  rates,  Jordan  soon  realized 


SETTING  BUSINESS  EXECS’  EXPECTATIONS 

Six  Steps  for  Defining 
Project  Success 

CIOS  USUALLY  NEGLECT  to  align  their  expectations  of  an  IT  project  with  those 

of  users,  says  Thomas  Hollman,  an  organizational  psychologist  with  Mainsail 

Associates  in  Princeton,  N.J.  The  result  can  be  different  definitions  of  what 

constitutes  a  successful  project.  Here  are  six  tips  for  sidestepping  that  snare. 

1.  Don’t  go  it  alone.  Determine  the  needs  and  requirements  of  your  busi¬ 
ness  colleagues,  and  strike  a  balance  between  what  they  want  and  what 
your  IT  department  can  deliver. 

2.  Design  mock-up  screens  to  show  the  business  unit  leaders  what  you're 
thinking.  Solicit  their  feedback  on  what  you’re  showing  them. 

3.  Link  your  expectations  for  the  project  to  your  company’s  mission.  Show 
your  internal  customers  how  simplifying  an  IT  project  will  increase  pro¬ 
ductivity,  lower  costs  or  improve  quality  or  customer  service. 

4.  Distribute  frequent  status  reports  to  keep  important  stakeholders  in  the 
loop  on  a  project’s  progress. 

5.  Educate  users  on  what  it  takes  to  implement  a  particular  application 
or  system. 

6.  Consider  writing  service-level  agreements  with  internal  customers  to 

establish  mutually  agreed-upon  expectations.  -M.L. 


which  likely  would  have  unrealistically 
raised  Jordan’s  expectations  for  the  prod¬ 
ucts’  functionality,  Fields  gently  reminded 
the  vendors  how  difficult  these  projects 
are.  He  also  asked  each  vendor  point- 
blank  what  its  success  rate  was.  All  the 
vendors  fessed  up  to  a  50  percent  to 
70  percent  failure  rate. 

“Instead  of  me  saying,  ‘Kevin,  these 
projects  are  very  difficult  and  they  typi- 


what  he  was  getting  into.  In  fact,  he  was 
ready  to  can  the  CRM  software  project 
altogether,  says  Fields. 

Knowing  the  software  was  something 
the  business  needed,  however,  Fields  and 
his  project  manager  quickly  set  out  to  help 
Jordan  establish  parameters  for  the  project 
and  the  software’s  functionality.  In  one- 
on-one  conversations,  See  asked  Jordan 
what  functionality  he  really  needed,  ad- 


104  CIO  MAY  1,  2003  •  www.cio.com 


ILLUSTRATION  BY  JOHN  UELAND 


vised  him  on  the  importance  of  limiting  a 
project’s  scope,  and  cautioned  him  against 
getting  caught  up  in  all  the  “fluff”  ven¬ 
dors  showed  off  during  demonstrations. 

Fields  says  it  wasn’t  hard  to  sell  Jordan 
on  the  idea  of  simplifying  the  project.  Since 
1992,  the  company  has  adhered  to  a  busi¬ 
ness  philosophy  it  calls  “rapid  continuous 
improvement”  that  emphasizes  streamlin¬ 
ing  design,  manufacturing  and  adminis¬ 
trative  processes  to  increase  productivity, 
lower  manufacturing  costs  and  improve 
product  quality.  “We’re  all  about  simplifi¬ 
cation,”  says  Fields  of  Hon.  “It’s  some¬ 
thing  that  people  take  to  very  easily.” 

The  Importance  of  Being  Earnest 

In  setting  expectations,  Fields  advises 
other  CIOs  to  deal  with  their  peers  in  per¬ 
son.  “Get  to  know  these  people.  Under¬ 
stand  what  they  want  and  what  they 
need.  Get  involved  in  a  conversation. 
Work  in  your  points.  Find  data  to  back 
up  your  points,”  he  says.  “You’ve  got  to 
get  to  know  these  people.  They’ve  got  to 
know  what  your  motivation  is.  They’ve 
got  to  know  you  want  the  project  to 
work  just  as  badly  as  they  want  it  to  or 
more  so,  but  you  want  them  to  know 
how  difficult  it’s  going  to  be.” 

Project  manager  See  worked  with  Jor¬ 
dan  to  develop  a  system  mock-up,  com¬ 
plete  with  screen  fields  for  entering 
information.  He  explained  the  applica¬ 
tion’s  look  and  feel  to  Jordan  and  asked 
for  his  feedback.  From  his  conversations 
with  Fields  and  See,  Jordan  could  clearly 
articulate  his  specific  requirements  to  ven¬ 
dors  and  find  a  vendor  that  could  come 
the  closest  to  matching  what  he  wanted. 

For  his  part,  Jordan  says  he  appreciated 
Fields’s  approach  to  setting  expectations. 
“He  listens,  then  makes  a  qualified  state¬ 
ment  based  on  information  rather  than 
prejudging  the  outcome,”  says  Jordan.  “I 
never  once  thought  he  was  imposing  his 
will  on  the  outcome  of  the  project.” 

Jordan  also  appreciated  Fields’s  con¬ 
structive  approach  to  laying  out  the  chal- 


MANAGEMENT  REPORTS 

Working  with  CXOs 


How  to  Lead  as  a  Team 

Three-fourths  of  CIOs  sit  on  their 
companies’  executive  teams,  accord¬ 
ing  to  this  magazine's  “State  of  the 
CIO  2003”  survey  (see  the  results  at 
www.cio.com/state).  But  do  those 
teams  know  how  to  lead  as  a  team ? 

According  to  Accenture  researcher 
Robert  J.  Thomas,  few  executives 
excel  at  working  in  tandem  with  their 
peers  on  leadership  teams— that  is, 
collaborating  on  complex  decisions, 
engaging  in  a  produc¬ 
tive  dialogue  (in  which 
opposing  opinions  are 
discussed  rather  than 
repressed),  and  then 
leading  change  as 
a  cohesive  group 
across  multiple 
business  divisions 
or  functions.  In  many 
hierarchical  organi¬ 
zations,  “leaders 
have  deep  functional 
or  regional  strengths 
and  personal  histories  that  predispose 
them  to  think  in  terms  of  the  parts 
rather  than  the  whole,”  writes 
Thomas,  a  senior  research  fellow  at 
the  Accenture  Institute  for  Strategic 
Change,  in  a  recently  released  report, 
“Leading  as  a  Team.” 

Meetings  at  companies  without 
these  leadership  skills  can  consist  of 
executives  updating  one  another  with 
their  different  perspectives  rather 
than  thinking  as  an  aligned  group. 
CIOs  falling  into  this  trap,  for  example, 
tend  to  view  situations  in  terms  of  the 
impact  on  IT,  or  IT’s  potential  for 
having  an  impact,  rather  than  consid¬ 
ering  the  business  as  a  whole. 

In  contrast,  Thomas  says,  manage¬ 


ment  teams  that  have  learned  to  truly 
act  as  one  group  display  several 
distinctive  abilities,  such  as: 

■  They  make  decisions  that  stick. 

■  They  model  the  collaboration  they 
want  others  in  the  organization  to 
exhibit. 

■  They  differentiate  the  issues  or 
decisions  that  call  for  a  cross¬ 
functional  approach  from  the  ones 
that  are  best  delegated  to  a  single 
unit  or  function  (for  example, 

where  one  division 
has  expertise  that 
others  lack). 

Thomas  outlines 
several  steps  that 
executive  teams 
should  take  toward 
working  together 
better.  Managers  can 
begin  by  taking  a 
hardheaded  look  at 
how  well,  or  poorly, 
they  collaborate. 

They  may  need  to 
learn  new  skills,  such  as  how  to  make 
decisions  collectively. 

One  large  automotive  company  that 
Thomas  studied  came  up  with  several 
unconventional  metrics  to  track  its 
progress  toward  leading  as  a  team. 
These  measures  revealed  an  increase 
in  employee  enthusiasm  and  a  chang¬ 
ing  proportion  of  cross-functional  and 
global  issues  on  the  team’s  agenda. 

"Chances  are,  your  company  will 
face  increasing  complexity  in  the 
coming  years,”  writes  Thomas.  “In 
such  an  environment,  senior  manage¬ 
ment’s  ability  to  work  effectively  as  a 
team  could  mean  the  difference 
between  extinction  and  survival.” 

-Edward  Prewitt 


www.cio.com  •  MAY  1,  2003  CIO  105 


lenges  of  the  project. 
“Instead  of  saying, 
‘We  can’t  do  this,’ 
[Fields]  said,  ‘These  are 
the  stumbling  blocks 
we’ve  got  to  get  past. 
Here  are  my  ideas  on  how  we  can  get  past 
them.  What  do  you  think?  What  do  you 
need  us  to  do?”’  says  Jordan. 

Jordan  recently  selected  a  vendor, 
which  he  declined  to  name.  The  system 
went  live  in  mid-February  and  took  only 
eight  weeks  from  management  approval 
to  rollout.  Fields  believes  the  time  he  took 
to  get  Jordan  to  understand  the  chal¬ 
lenges  of  implementing  CRM  software 
paid  off  when  they  jointly  sold  the  project 
to  the  executive  committee. 


“Business  managers 
have  got  to  know  you 
want  the  project  to 
work  just  as  badly 
as  they  want  it  to 
or  more  so,  but  you 
want  them  to  know 
how  difficult  it’s 
going  to  be.” 

-Malcolm  Fields,  CIO, 
Hon  Industries 


“My  role  as  CIO  is  to  ensure  that  the 
projects  we  invest  in  turn  out  to  be  suc¬ 
cessful.  The  best  way  to  do  that  is  to  make 
sure  the  people  who  get  involved  under¬ 
stand  the  true  risk  and  the  true  [total  cost 
of  ownership]  so  nothing  comes  back  to 
bite  them,”  says  Fields.  And  properly  set¬ 
ting  expectations  reduces  the  risk  that  users 
will  come  back  and  bite  the  CIO.  K3EI 


Have  you  found  that  setting  expectations  on  IT 
projects  is  a  minefield?  Let  us  know  at  hotseat@ 
cio.com.  Senior  Writer  Meridith  Levinson  can  be 
reached  at  mtevinson@cio.com. 


Leadership  Agenda  by  susan  h.cramm 

An  All-Around 
Waste  of  Time 

Full-circle  or  360-degree  feedback  assessments  must  meet  three 
conditions  to  be  useful:  tailored,  internalized  and  followed  up 

For  a  manager,  giving  an  employee  tough  feedback  can 
truly  be  a  case  of  “This  hurts  me  more  than  it  hurts  you." 
Managers  harbor  doubts  about  whether  their  feedback  is 
completely  balanced.  They  wonder  how  they  can  help 
employees  move  beyond  denial  to  acceptance  and 
accountability  for  adopting  new  behaviors  and  developing 
new  skills.  The  360-degree  or  full-circle  assessment  from 
peers,  direct  reports,  subordinates  and  supervisors  can  address  these  con¬ 
cerns.  This  kind  of  assessment  has  proven  pivotal  in  many  careers. 

But  360-degree  assessments  can  also  be  an  all-around  waste  of  time.  Many 
well-intentioned  assessment  programs  have  fallen  short  of  their  potential 
because  of  poor  design  and  execution.  In  my  experience,  360s  can  be  a  catalyst 
for  changing  behaviors  if  three  conditions  are  met.  First,  the  survey  needs  to  be 
tailored  to  the  employee— a  one-size-fits-all  approach  does  not  apply.  Second, 
the  survey  recipient  has  to  have  ears  that  want  to  hear.  This  also  requires  a 
supportive  organizational  climate  in  which  everyone  is  seen  as  a  work-in- 
progress.  The  employee  must  be  able  to  control  the  360  process  rather  than  the 
other  way  around.  Finally,  feedback  recipients  need  significant  follow-up 
support  to  fuel  and  guide  their  development  over  time. 

TAILOR  THE  SURVEY.  A  review  of  an  employee’s  leadership  ability  is  not 
much  use  if  this  person  is  struggling  with  interpersonal  issues.  Take  the  case  of 
an  IT  executive  in  financial  services  who  participated  in  a  companywide  360- 
degree  program.  The  results  were  of  little  benefit  to  her  since  the  questions 
focused  on  cultural  fit  and  basic  management  competencies— areas  in  which  she 
scored  very  high,  in  general.  Given  that  she  was  relatively  new  to  the  executive 
ranks,  she  would  have  benefited  much  more  from  an  assessment  that  measured 
the  broader  aspects  of  executive  effectiveness,  with  specific  attention  paid  to  IT. 

Another  dimension  of  survey  relevance  is  how  the  data  is  captured  and 
shared.  Research  indicates  that  "ratings  by  themselves  don’t  yield  the  detailed, 
qualitative  comments  and  insights  that  can  help  a  colleague  improve  perform¬ 
ance,”  and  “without  specific  comments,  recipients  are  left  with  no  information 
to  act  on  and  with  little  sense  of  what  might  help  them  get  better  at  their  jobs" 
(from  Maury  A.  Peiperl’s  Harvard  Business  Review  article  “Getting  360-Degree 
Feedback  Right”). 

READY  THE  EARS.  Benefiting  from  a  360-degree  assessment  is  all  about 
being  psychologically  ready  to  hear  and  act  on  the  results.  Although  the 
prospect  of  a  360  is  scary  for  many,  they  don’t  resist  because  the  prospect  of 
overhearing  what  others  are  saying  is  too  tantalizing.  But  don’t  confuse  willing- 


106  CIO  MAY  1,  2003  •  www.cio.com 


ness  to  participate  with  readiness  to 
change.  Consider  the  executive  who 
was  given  feedback  that  he  used  his 
political  and  relationship  skills  to 
sidestep  responsibility.  This  person 
took  no  action.  The  feedback  fell  on 
deaf  ears  because  he  hadn’t  asked  for 
it  and  didn’t  believe  he  needed  it. 

You  can  create  a  climate  in  which 
360  feedback  is  positively  received  by 
openly  sharing  your  own  strengths  and 
development  opportunities,  by  ensur¬ 
ing  that  frequent  on-the-spot  coaching 
is  the  norm,  and  by  giving  participants 
control  over  certain  aspects  of  the  360- 
degree  assessment  process  (such  as 
timing,  survey  selection,  participants, 
confidentiality  and  action  plans). 

BEGIN  AT  THE  END.  Someone  once 
said  that  life  is  10  percent  what  hap¬ 
pens  to  you  and  90  percent  how  you 
react  to  it.  When  a  person  receives 
360-degree  feedback,  the  assessment 
process  is  only  about  10  percent 
complete.  The  heavy  lifting  of  modify¬ 
ing  behavior  still  lies  ahead.  To  appreci¬ 
ate  the  amount  of  support  necessary  to 
break  old  habits  and  adopt  new  ones, 
ask  yourself  whether  your  latest  physi¬ 
cal  fitness  assessment  was  all  you 
needed  to  become  new  and  improved 
and  lean  and  mean.  Many  of  us  have 
discovered  that  only  through  the  use  of 
a  personal  trainer  are  we  able  to  focus 
on  our  goals  for  the  time  it  takes  to 
realize  results. 

At  the  office,  you  can  support  the 
change  process  by  providing  a  coach  or 
mentor— inside  or  outside  the  organiza¬ 
tion— for  a  minimum  of  two  hours  a 
week  for  three  to  six  months.  If  the  ears 
are  ready  to  hear,  a  coach  will  help  fuel 
behavior  change  by  reinforcing  the 
elements  of  accountability,  intellectual 
honesty,  time  management,  skill¬ 
building  and  encouragement. 

As  an  executive  coach,  I  don’t  recom¬ 
mend  360s  across  the  board.  There  are 
plenty  of  other  ways  to  gain  insights 


about  people’s  strengths  and  develop¬ 
ment  opportunities.  The  valuable 
instrument  of  full-circle  assessments  is 
too  often  trivialized,  so  it  has  the  same 
impact  as  the  30-question  magazine 
quiz  that  is  taken  for  distraction  and 
amusement  but  is  never  taken  seriously. 


Reader  Q&A 

Susan  H.  Cramm  answers 
questions  on  “An  All-Around 
Waste  of  Time” 

Q:  Most  360  programs  are  anonymous. 
To  me,  that  makes  them  useless. 
Moreover,  most  people  tend  to  focus  on 
weaknesses.  How  about  a  program 
focused  on  identifying  and  leveraging 
strengths  and  ignoring  weaknesses? 

A:  I  disagree  that  anonymous  feedback 
is  useless  and  that  a  focus  solely  on 
strengths  will  help  improve  effective¬ 
ness.  When  reviewing  the  results  of  a 
360,  both  strengths  and  development 
opportunities  (weakness  is  such  a 
pessimistic  term)  should  be  identified. 
The  strengths  allow  people  to  under¬ 
stand  their  unique  gifts— attitudes, 
skills  and  behaviors— on  which  they  can 
build  their  careers.  The  development 
opportunities  allow  people  to  mitigate 
behaviors  that  may  derail  their  career 
development  over  time.  For  example,  a 
technologist  who  is  rated  only  highly 
but  not  excellent  for  his  ability  to 
deliver  results  benefits  from  knowing 
that  people  find  him  difficult  to  work 
with,  especially  if  he  is  interested  in 
assuming  leadership  positions  in  the 
future.  This  is  an  important  point- 
strengths  and  development  opportuni¬ 
ties  should  be  evaluated  in  light  of 
career  goals. 

Regarding  the  value  of  anonymity,  a 
360  participant  should  focus  on  the  top 
five  strengths  and  development  oppor¬ 
tunities  and  forget  the  rest.  Consensus 
makes  the  issue  of  anonymity  irrele¬ 


vant,  while  the  higher-quality  feedback 
from  anonymity  makes  it  a  prerequisite 
for  success  with  a  360. 

Q:  I  tried  the  360  tool  for  teachers  in 
the  management  department.  Two 
issues  confront  me: 

1.  How  to  address  conflicting  reports? 

2.  How  to  follow  up  on  the  results  of  the 
program? 

A:  The  conflicting  nature  of  the  feed¬ 
back  is  one  of  the  strengths  of  the  360 
process.  Performance  effectiveness  is 
definitely  in  the  eye  of  the  beholder,  and 
the  360  process  must  be  designed  not 
only  to  highlight  conflicting  reports  but 
also  to  provide  insights  on  the  source  of 
the  conflicts.  The  best  practice  is  for  the 
360  design  to  incorporate  qualitative 
comments  as  well  as  quantitative 
ratings.  An  experienced  professional 
should  assist  in  the  interpretation  of  the 
results  and  provide  follow-up  develop¬ 
ment  coaching.  The  only  way  to  judge 
the  effectiveness  of  a  360  program  is  to 
repeat  the  survey  every  year  or  so  as 
part  of  a  long-term  commitment. 

Q:  What  do  you  think  about  assess¬ 
ments  being  tied  to  salary? 

A:  Tying  the  results  of  360s  to  salary 
can  be  a  very  effective  way  of  putting 
your  money  where  your  mouth  is, 
provided  the  survey  is  well  designed 
along  the  dimensions  I’ve  outlined.  To 
ensure  that  the  kinks  are  worked  out  in 
the  design  of  the  360,  most  experts 
recommend  initially  implementing  it  for 
developmental  purposes  and  delaying 
the  linkage  to  incentive  systems  until 
the  assessments  are  well  accepted  and 
understood— by  all  participants.  BE] 


To  see  more  reader  questions  and  answers  from 
Susan  H.  Cramm,  go  to  www.cio.com/teader 
ship/agenda. html.  Cramm  is  president  of  Val- 
uedance,  an  executive  coaching  firm  based  in 
San  Clemente,  Calif.  Her  e-mail  address  is 
scramm@cox.net. 


www.cio.com  •  MAY  1,  2003  CIO  107 


< 

I 


Inside 

Under 

Development 

Microbial 

circuits  . 112 

Company 
to  Watch 

Polycom  . 113 


Sleuthing  Out  Data 

Categorization  software  helps  search-tool  users  find  what  they  seek 

BY  FRED  HAPGOOD 


Edited  by  Christopher 
Lindquist.  Send  your 
thoughts  and  ideas 
for  future  columns  to 
clindquist@cio.com. 


MORE  AND  MORE,  the  problems  that  earn  CIOs 
their  paychecks  revolve  around  making  it  easier 
for  users  to  explore  huge  volumes  of  data.  They 
do  this  through  finding  known  objects  in  huge 
search  spaces,  assembling  top-down  overviews 


that  summarize  the  important  points  of  a  topic, 
and  helping  searchers  decide  what  they  really 
want  when  their  initial  search  ideas  are  confused, 
misguided  or  ambiguous. 

At  one  time,  researchers  speculated  that 


Search  tools. ..Nanotech  microbes. ..Videoconferencing 


108  CIO  MAY  1,  2003  •  www.cio.com 


ILLUSTRATIONS  BY  CLEMENTE  BOTELHO 


CSO  Perspectives 


Today’s  security  executives  meet  at  the 
CSO  Perspectives  Conference 


June  17-19, 2003 
Hotel  del  Coronado 
Coronado,  California 


BUILDING  A 
CULTURE  OF 


As  an  executive  responsible  for  securing  and 
protecting  an  organization’s  information 
assets  and  infrastructure,  you  are  constantly 
searching  for  how  to  better  define  your  mission 


CSO  Perspectives  meets  those  needs 

with  an  educational  and  networking  con¬ 
ference  just  for  you— chief  security  officers 
(CSOs)  and  senior  technology  decision¬ 
makers  (CIOs).  At  CSO  Perspectives,  you'll 
gain  firsthand  knowledge  from  industry 
experts  and  your  peers  that  can  enhance 
your  organization’s  security  strategy. 

You'll  have  the  opportunity  to: 

•  Exchange  best  practices  in  balancing 
risk  and  responsibility 

•  Learn  from  your  peers  what  works  in 
the  real  world 

•  Explore  creating  a  culture  of  security 

•  Understand  the  current  thinking  on 
key  issues  and  trends 

•  Uncover  the  hidden  threats  of  legal 
liability 


and  responsibilities  within  the  enterprise. 
You  need  a  forum  in  which  you  can  address 
your  own  unique  set  of  business-level 


challenges— and  network  with  your  peers. 


The  Resource  for 
Security  Executives 


•  Examine  emerging  technologies  that 
will  impact  your  enterprise 

Visit  us  at  www.csoperspectives.com 

or  call  800  366-0246. 


Opening 
Keynote: 
Wesley  Clark, 

Former  NATO 
Supreme  Allied 
Commander  & 
CNN  Military 
Analyst 


Conference 
Moderator: 
Jonathan 
Zittrain,  Co¬ 
director,  The 
Berkman  Center 
for  Internet  & 
Society,  Harvard 
Law  School 


Thursday 
Evening: 
Jimmy  Tingle, 

ittiCc 


iy  lin| 

Social/pol  rtical 
Commentator  & 
Humorist 


CSO  Perspectives  is  proudly  underwritten  by 

Microsoft 8 


Finder’s  Keepers 

Technology  Categorization 
software 

Anticipated  benefit  Catego¬ 
rization  historically  has  been  a 
manual  process;  new  tools  allow 
companies  to  automatically  place 
data  into  categories,  reducing 
costs  and  increasing  productivity 
as  users  find  necessary  informa¬ 
tion  more  easily. 

Hurdles  Categorization  technol¬ 
ogy  is  still  new  and  can  involve 
considerable  up-front  effort  and 
time  (as  much  as  several  weeks) 
to  establish  necessary  rules  for 
categorization. 

Vendors 

Applied  Semantics 

( www.apptiedsemantics.com ): 
Concept  Server,  a  semantics- 
based  categorization  tool,  plus 
products  specific  to  editorial  and 
advertising  markets 
Autonomy 

( www.autonomy.com ):  Idol 
Server,  automatic  classification 
tools  plus  portlets,  portals  and 
other  products 
Endeca  Technologies 
( www.endeca.com ):  Guided 
ProFind  tools  for  both  search  and 
data  navigation 
GammaSite 

( www.gammasite.com ): 
Semantics-based  automatic  cate¬ 
gorization  and  tagging  software 
iPhrase  Technologies 
( www.iphrase.com ):  Categoriza¬ 
tion  and  search  tools  targeting  the 
self-service  markets 
Mercado  Software 
( www.mercado.com ):  IntuiFind 
search-and-browse-based  naviga¬ 
tion  tools 
Verity 

( www.verity.com ):  Wide  variety  of 
search  tools,  including  automatic 
categorization  features  in  prod¬ 
ucts  such  as  K2 


solving  such  search  problems  might 
require  artificial  intelligence:  systems  that 
simulated  human  thought  and  could 
behave  like  skilled  reference  librarians.  But 
there  is  an  easier  solution — ordering  data 
into  categories  and  subcategories  and  then 
having  users  interact  with  that  structure 
before  looking  at  the  raw  results.  Con¬ 
sider  a  hungry  New  Yorker  looking  for  a 
place  to  eat.  A  search  under  “New  York 
AND  restaurant”  that  returned  only  a  list 
of  actual  eateries  would  be  too  long.  On 
the  other  hand,  if  the  results  came  pack¬ 
aged  in  an  easy-to-scan  collection  of  restau¬ 
rant  types — Italian,  French,  Asian  and,  if 
necessary,  subtypes  under  that:  Korean, 
Japanese,  Vietnamese  and  so  on — the 
whole  set  of  New  York  restaurants  sud¬ 
denly  becomes  navigable. 

Categorization  also  helps  with  other 
issues.  It  solves  the  overview  problem  by 
formatting  different  categories  (restaurant 
types,  locations,  price  ranges,  ratings)  side 
by  side,  presenting  the  searcher  with  a 
multifaceted,  top-down  perspective.  The 
same  formatting  trick  helps  searchers  who 
don’t  quite  know  what  they  want  by  let¬ 
ting  them  examine  query  results  from  sev¬ 
eral  angles  at  once,  interactively. 

Category  trees  are  not  new.  Until 
recently,  however,  IT  applications  required 
paid  humans  to  think  up  the  category 
names,  define  their  relationships  and  write 


in  the  sophistication  of  enterprise-level 
search  engines  and  the  number  and  kinds 
of  users  a  system  can  help. 

These  systems,  however,  are  not  exactly 
plug  and  play  (at  least  today)  and  may 
require  significant  time  to  establish  rules 
that  ultimately  create  the  final  categories. 
But  with  proper  investment,  autocatego¬ 
rization  tools  can  reap  significant  benefits. 

Parsing  Parts 

In  2000,  components  distributor  Arrow 
Electronics  built  and  started  to  sell  sub¬ 
scriptions  to  Ubiquidata,  a  components 
database  made  up  of  information  about 
more  than  23  million  items,  each  with  as 
many  as  50  related  data  elements.  The 
company  initially  marketed  the  product 
to  purchasing  and  material  planning  pro¬ 
fessionals  within  original  equipment  man¬ 
ufacturers  (OEMs).  For  clients  such  as 
those,  searching  the  huge  data  set  was  no 
problem,  since  they  usually  knew  exactly 
what  they  were  after,  often  right  down  to 
the  manufacturer’s  part  number. 

Arrow,  however,  wanted  to  bring  the 
service  to  another  group:  design  engineers. 
Unlike  line  managers,  designers  seldom 
know  what  they  are  looking  for  ahead  of 
time.  They  start  with  a  wish  list  of  proper¬ 
ties  for  the  perfect  part,  filter  out  candi¬ 
dates  that  come  close  but  not  close 
enough,  and  then  find  the  best  compro- 


More  and  more  information  travels  with  a 
lengthening  entourage  of  data  about  itself. 
Autocategorization  software  recognizes 
and  leverages  that  data. 


the  rules  that  channeled  data  into  the 
proper  boxes.  As  a  result,  the  technique 
was  limited  to  fields  with  big  budgets, 
such  as  financial  analysis  or  defense.  Dur¬ 
ing  the  past  few  years,  however,  several 
developments  have  made  it  much  easier 
to  automate  or  at  least  semiautomate  cat¬ 
egorization,  sparking  a  small  revolution 


mise  by  carefully  comparing  the  remaining 
parts  and  fine-tuning  their  design.  The 
very  last  thing  they  learn  is  the  part  num¬ 
ber.  Customers  such  as  those  require  a 
very  different  set  of  searching  tools. 

In  response,  Arrow  struck  up  a  part¬ 
nership  with  Endeca  Technologies,  a 
startup  search  vendor  that  specializes  in 


110  CIO  MAY  1,  2003  •  www.cio.com 


Emerging  Technology 


“query  discovery”  software — searches 
that  use  the  experience  of  navigating 
around,  through  and  over  complex  cate¬ 
gory  landscapes  to  help  searchers  figure 
out  what  they  want. 

After  a  development  phase  of  about  six 
months,  the  search  application  was  ready 
for  the  design  engineers.  Today  a  user 
searching  the  Arrow  database  can 
organize  results  by  several  interacting  cat¬ 
egories.  For  instance,  suppose  she  is  look¬ 
ing  at  the  power ,  size  and  price  categories, 
and  she  clicks  on  a  specific  range  of  power 
(say,  10  to  20  watts).  The  listings  in  the 
size  and  price  categories  then  automati¬ 


cally  change  to  present  just  the  sizing  and 
pricing  of  the  parts  in  the  desired  power 
range. 

The  new  service  started  in  June  2002, 
and  its  success  has  allowed  Arrow  to 
change  Ubiquidata’s  licensing  model  from 
seats  to  sites,  says  Chris  Henry,  Arrow’s 
vice  president  and  global  information 
business  unit  general  manager.  In  other 
words,  the  database’s  ease  of  use  finds  that 
enterprises  now  prefer  to  let  anyone  in  the 
company — not  just  specific  individuals — 
log  on  and  poke  around. 

The  Politics  of  Searching 

Automatic  categorization  can  do  more 
than  just  expand  markets.  “It’s  difficult 
for  anyone  to  understand  who  hasn’t  lived 
through  it  to  appreciate  how  political  cat¬ 
egorization  management  is,”  observes 
Scott  Lundstrom,  CIO  of  AMR  Research. 
“We  had  a  category  nomination  process. 
We  had  a  category  retirement  process. 
They  all  required  long  meetings.”  Main¬ 
taining  and  supervising  a  process  con¬ 
sumed  a  full-time  IT  position. 

Then  AMR  moved  to  an  autocatego- 
rizing  product  from  Autonomy,  and  I 


things  changed  for  the  better.  “Today  we’re 
increasingly  relying  on  the  software  to  do 
category  recommendations,”  Lundstrom 
says.  “Everybody  can  see  that  it  recognizes 
more  relationships  and  that  it  isn’t  biased.” 
And  Lundstrom  got  his  developer  back, 
which  made  the  CIO  happiest  of  all. 

U.S.  Robotics  (USR)  is  hoping  to 
extract  efficiencies  from  a  different  source. 
“We  make  a  low-margin  product,”  says 
IT  Director  Steve  Kossel.  “One  call  to  our 
support  desk  wipes  out  our  profit  on  that 
sale.”  Surveys  show  that  90  percent  of 
users  calling  technical  support  had  visited 
the  USR  website  before  calling.  While  the 


jury  is  still  out  on  USR’s  experiment  with 
autocategorization  (using  tools  from 
iPhrase  Technologies),  Kossel  believes  that 
the  products  will  improve  the  precision 
and  responsiveness  of  support  on  the  USR 
website  sufficiently  to  cut  the  number  of 
support  calls  by  a  third,  saving  the  com¬ 
pany  more  than  $135,000  a  month. 

Even  companies  that  can  afford  man¬ 
ual  tagging  have  reasons  to  look  at  auto¬ 
categorization.  Chat  Joglekar,  business 
development  manager  at  USAToday.com, 
says  that  the  major  benefit  of  autocate¬ 
gorization  for  his  company  is  consistency. 
USAToday.com  had  long  used  editors  to 
do  manual  categorizing — or  had  avoided 
categorization  altogether.  But  as  the  sheer 
mass  of  online  material  and  the  total 
number  of  editors  kept  growing  and 
changing,  the  slight  idiosyncrasies  in  how 
each  of  them  categorized  information 
steadily  degraded  the  search  function’s 
performance.  Now  the  online  newspaper 
takes  advantage  of  a  product  called  Con¬ 
cept  Server  from  Applied  Semantics. 
While  machines  may  have  their  peculiar¬ 
ities,  at  least  their  biases  are  consistent 
over  both  time  and  scale  of  operation. 


Raymond  Karrenbauer,  CTO  of  ING 
Americas’  Technology  Management  Office, 
reports  a  fourth  payoff:  Automatic  catego¬ 
rization  and  taxonomy  makes  it  easier  for 
a  company  to  add  uncategorized  or  weakly 
categorized  material,  such  as  e-mail  mes¬ 
sages  or  ENG’s  more  than  40,000  different 
formats  of  unstructured  data,  to  its  search¬ 
able  data  space.  He  adds  that  catego¬ 
rization  improves  the  work  of  internal 
users — allowing  customer  service  reps,  for 
instance,  to  find  what  they  need  faster. 

Several  trends  have  combined  to  make 
those  new  services  possible.  First,  two  rel¬ 
evant  “natural  language  recognition” 
technologies  have  matured  almost  simul¬ 
taneously.  One  maps  the  frequencies  of 
words  in  a  document  and  their  positions 
relative  to  each  other  to  generate  a  docu¬ 
ment  profile.  The  software  then  compares 
that  profile  with  the  profiles  of  previously 
categorized  reference  documents,  those  of 
other  new  documents  or  both.  The  first 
comparison  sorts  new  documents  into 
established  categories;  the  second  recog¬ 
nizes  new  topical  “clusters”  that  proba¬ 
bly  should  be  explicit  categories.  For 
instance,  if  two  documents  have  China 
and  ceramics  within  10  words  of  each 
other,  the  odds  that  they  should  be  in  the 
same  category  go  up.  Autonomy’s  product 
relies  on  that  approach. 

The  second  technique  (the  one  used  by 
Applied  Semantics,  Inquira  and  others) 
relies  on  semantics.  Given  a  document, 
such  a  program  first  filters  out  the  impor¬ 
tant  words,  then  looks  up  their  synonyms, 
meanings  and  their  thematic  relationships 
(for  example,  the  term  chair  would  be 
linked  to  furniture  and  rocking ).  Finally 
it  counts  the  number  of  these  relationships 
to  decide  which  words  are  most  likely  to 
reflect  the  document’s  major  and  minor 
themes.  Theoretically  such  a  system  can 
figure  out  whether  an  article  on  chips 

cio.com  Read  Chris  Lindquist’s 

TECH  TACT:  NEW  TOOLS  FOR  NEW  JOBS 

every  Monday  at  www.cio.com. 


Smart  searching  might  very  well  become 
as  important  to  the  face  of  an  enterprise  as 
smart  salespeople. 


www.cio.com  •  MAY  1,  2003  CIO  111 


belongs  under  food,  gambling,  computers 
or  horses,  even  if  none  of  those  specific 
terms  appears  in  the  document. 

Perhaps  the  best  news  for  vendors  de¬ 
signing  autocategorization  products,  how¬ 
ever,  has  nothing  to  do  with  research 
breakthroughs.  Today,  more  and  more 
information  travels  with  a  lengthening 
entourage  of  data  about  itself  (such  as  e- 
mail  headers  or  meta-tags  in  webpages). 
Autocategorization  software  can  recognize 
and  leverage  that  data  for  its  own  ends. 
For  example,  iPhrase  Technologies  spe¬ 
cializes  in  finding  and  harvesting,  or  “spi¬ 
dering,”  categorization  information  across 
many  data  types.  “Three  to  four  years  ago, 
we  had  to  code  up  explicit  structure  with 
every  deployment,”  says  Senior  Product 
Manager  Roy  Rodenstein.  “But  today  our 
clients  have  much  richer  data.” 

All  those  trends  have  made  autocate¬ 
gorization,  and  therefore  smarter  search¬ 
ing  tools,  a  bright  spot  in  today’s  IT  scene. 
Many  companies  have  entered  the  sector. 
Some,  such  as  Endeca  or  Mercado  Soft¬ 
ware,  specialize  in  the  display  and  man¬ 
agement  of  the  categories  that  users  see 
and  interact  with.  Others,  such  as  Applied 
Semantics,  Autonomy  and  GammaSite, 
focus  on  the  back  end:  looking  at  input 
documents  and  creating  the  meta-data  the 
display  tools  need  in  order  to  work. 
Another  set  of  companies,  including  long¬ 
time  search  player  Verity,  does  both. 

There’s  no  sign  that  advances  in  cate¬ 
gorization  and  search  technology  will 
slow  down  anytime  soon  either.  If  search¬ 
ing  is  the  foundation  of  all  our  relations 
with  the  online  data,  and  categorization 
is  the  foundation  of  intelligent  searching, 
then  it  seems  likely  that  CIOs  are  going 
to  be  boosting  the  IQ  of  their  searching 
tools  for  some  time  to  come.  Smart 
searching  might  very  well  become  as 
important  to  the  face  of  an  enterprise  as 
smart  salespeople.  ■ 


Fred  Hapgood  is  a  freelance  writer  based  in 
Boston.  He  can  be  reached  for  comments  at 
hapgood@pobox.com. 


UNDER  DEVELOPMENT 
Nanotech 

Bubbling  Up  Nanostructures 

NEARLY  BOILING,  acidic  hot  springs  could  lead  to  the  creation  of  electronic  compo¬ 
nents  that  are  10  to  100  times  smaller  than  today’s  smallest  parts. 

While  exploring  extreme  environments  similar  to  those  that  might  exist  on  other  plan¬ 
ets,  scientists  at  the  NASA  Ames  Research  Center  investigated  natural  hot  springs.  While 
experimenting  with  microbes  that  live  in  the  springs,  researchers  discovered  that  modi¬ 
fied  proteins  taken  from  the  organisms  could  be  used  to  grow  meshlike  “nanostructures." 

By  manipulating  the  DNA  in  the  Sulfolobus  shibatae  protein,  the  researchers  were 
able  to  create  proteins  that  self-assemble  into  a  tiny,  two-dimensional  lattice  capable  of 
capturing  metal  and  semiconductor  material  particles  at  specific  locations. 

Creating  large  quantities  of  the  modified  protein  is  relatively  easy.  The  researchers 
clone  the  gene  coding  for  the  protein  into  rapidly  multiplying  E.  coli  bacteria  and  then 
brew  the  mixture  inside  a  vat.  The  high  temperature  process  doesn’t  affect  the  protein— 
which  is  accustomed  to  living  in  a  hellish  environment— yet  it  safely  destroys  nearly  all 
the  proteins  from  the  nasty  E.  coli  bug. 

The  Sulfolobus  protein  self-assembles  into  rings  that  are  about  5,000  times  thinner 
than  a  human  hair.  These  then  associate  into  a  honeycomblike  lattice  that  is  applied  to  a 
silicon  wafer  substrate  and  then  blanketed  with  a  gold  or  semiconductor  slurry  of  parti¬ 
cles.  “The  particles  that  stick  to  the  structure  are  ‘quantum  dots'  that  are  about  one  to  10 
nanometers  across,”  says  Andrew  McMillan,  the  project’s  coinvestigator.  Current  com¬ 
puter  chips  contain  features  that  are  approximately  130  nanometers  apart. 

“With  further  refinement,  the  nanostructures  could  someday  serve  as  computer  memory, 
a  sensor  or  a  logic  device,”  says  McMillan.  First,  however,  researchers  must  find  a  way  to 
develop  large  numbers  of  protein-based  circuits  at  a  competitive  price.  But  the  raw  material 
is  cheap  and  the  size  benefits  substantial,  so  that  shouldn’t  be  a  big  problem.  "The  obsta¬ 
cles  seem  surmountable,”  says  Jonathan  Trent,  the  research  project’s  principal  investigator. 

-John  Edwards 


112  CIO  MAY  1,  2003  •  www.cio.com 


- — - 1  Emerging 

COMPANY  TO  WATCH 
Polycom 

Unified  Conferencing 

Polycom  eliminates  connection  boundaries  to  distance  conferencing 

BY  DEBBY  YOUNG 


YOU’D  PROBABLY  RECOGNIZE  Polycom’s 
famous  tri-comer  speaker  phones,  the  gray 
communicators  that  crouch  on  conference 
room  tables  around  the  world.  But  now 
the  company  is  looking  to  take  islands  of 
conferencing  technology — audio,  video 
and  Web  collaboration — and  unify  them 
into  a  conferencing  experience  that  lets 
anyone  join  in  at  anytime,  from  anywhere 
and  via  any  network  connection. 

Two  of  Polycom’s  customers — manu¬ 
facturing  conglomerate  W.R.  Grace  and 
Barton  Malow,  a  $1.2  billion  construction 
company — are  already  taking  advantage 
of  this  converging  conferencing  technol¬ 
ogy  to  spur  growth  and  significantly  cut 
operating  costs. 

“We’re  using  Polycom’s  WebOffice 
internally  to  facilitate  working  sessions 
among  remote  teams  and  have  also  started 
using  the  technology  with  our  customers 
for  troubleshooting  and  engineering  col¬ 
laboration,”  says  Guy  Welty,  manager  of 
global  media  networks  and  collaborative 
services  for  W.R.  Grace. 

For  example,  W.R.  Grace  content 
experts  can  use  Polycom  technology  to 
present  information  to  as  many  as  30  cus¬ 
tomers  at  once,  speeding  interaction  with 
the  customer  and  saving  the  experts  travel 
time.  It’s  also  easy  to  set  up  last-minute 
meetings.  The  company  cut  more  than 
$1  million  in  travel  costs  because  of  the 
unified  conferencing  technology.  By  bring¬ 
ing  Web  casting  and  audio  bridging  in- 
house,  Welty  estimates  that  the  company 
saves  another  $700,000  annually  in  fees 
that  would  otherwise  go  to  service 
providers  such  as  AT&T,  WebEx  Com¬ 
munications  and  Yahoo. 


Polycom 


Headquarters  Pleasanton,  Calif. 
Founded  1990 

Employees  Approximately  1,200 
Revenue  $383.2  million 
Products  Polycom  Office, 
which  includes  SoundStation  for 
teleconferencing,  WebOffice  for 
Web  collaboration,  ViewStation 
for  videoconferencing,  iPowerfor 
video  collaboration 
Reason  to  watch  Unified  confer¬ 
encing  technology  provides  a 
platform  for  seamless  telecon¬ 
ferencing  and  videoconferencing 
integrated  with  Web  collaboration 
Hurdles  Overcoming  pricing  barri¬ 
ers  that  have  limited  investments  in 
conferencing  technology  to  the 
boardroom  instead  of  mainstream 
business  communication 
Website  www.polycom.com 

Barton  Malow’s  CIO,  Phil  Go,  says 
Polycom’s  iPower  system  has  enhanced  his 
company’s  ability  to  share  applications 
and  documents  during  a  video  call.  “The 
ability  to  walk  into  a  room,  hit  dial  to 
connect  with  colleagues,  and  then  simply 
plug  in  a  laptop  to  easily  share  content 
and  work  together  as  if  everyone  was  in 
the  same  location  is  huge,”  says  Go. 

The  videoconferencing  industry  needs 
to  move  into  this  unified  messaging 
space  to  sustain  the  growth  it’s  seen  dur¬ 
ing  the  past  two  years,  says  Gerry 
Kaufhold,  principal  analyst  for  multime¬ 
dia  and  broadband  at  research  company 
In-Stat/MDR.  With  war,  terrorism  and 
high  fuel  costs,  the  business  climate  is 


Technology  | - 

primed  for  a  travel-free  form  of  commu¬ 
nication.  “Having  Polycom  get  into  this 
space  is  just  a  really  good  sign,”  says 
Kaufhold. 

While  he  believes  there’s  plenty  of  oppor¬ 
tunity  for  everyone  to  benefit  in  this 
arena — manufacturers  and  service  providers 
alike — Elliot  Gold,  president  of  research 
company  Telespan,  raises  a  cautionary 
flag.  Microsoft  recently  acquired  remote 
collaboration  provider  Placeware  and  will 
begin  bundling  unified  messaging  with  its 
Office  15  product.  “This  will  allow  users 
of  Microsoft  Office  to  do  many  of  the 
things  Polycom  WebOffice  offers,  in  partic¬ 
ular  online  collaboration  through  docu¬ 
ments,  graphics,  and  even  video  and  voice,” 
says  Gold.  “And  with  Placeware  technol¬ 
ogy  added  to  the  mix,  the  new  Office  15 
will  allow  ad  hoc,  real-time,  virtual  meet¬ 
ings.”  Microsoft  has  the  potential,  he 
thinks,  to  steamroll  over  everyone. 

WebEx  is  also  promoting  its  tools  well, 
notes  Gold.  But  Kaufhold  says  that  Poly¬ 
com  and  WebEx  might  be  beneficial  to 
one  another — opening  up  opportunities 
for  multiple  technologies  to  enhance  col¬ 
laboration.  Kaufhold  sees  high-end  com¬ 
petitors^ — such  as  Tandberg  and  Sony’s 
Video  Conferencing  Group,  as  well  as  uni¬ 
fied  messaging  software  vendors  such  as 
Forgent  Networks — carving  a  niche  for 
themselves  in  the  unified  conferencing 
space.  “We  think  the  worldwide  market 
for  the  technology  will  grow  to  more  than 
$2.2  billion  during  2006,”  says  Kaufhold. 

He  feels  that  if  Polycom  can  bring  its 
technology  from  the  corporate  boardroom 
to  the  department  meeting  room,  it  will 
make  significant  inroads  into  mainstream 
business  communications.  But  that  will 
mean  price  cuts.  According  to  Barton 
Malow’s  Go,  a  unified  conferencing  sys¬ 
tem  currently  runs  his  company  as  much 
as  $50,000.  But  he  predicts  that  competi¬ 
tive  pressure  and  technological  innova¬ 
tions  will  drop  Polycom’s  per-unit  price  to 
the  $10,000  range.  When  that  happens, 
he  says,  “Nothing  would  please  me  more 
than  having  a  unit  in  every  job  site.”  HH 


www.cio.corr)  •  MAY  1,  2003  CIO  113 


Sales  and  Services 

CIO  SALES  OFFICES 

President  Walter  Manninen 
Publisher  Gary  J.  Beach  •  508  935-4202 

Executive  VP  Sales/Custom  Publishing 

Ellen  Romanow  •  508  935-4796 

East  Coast 

Senior  VP  Sales/East 

Michael  J.  Masters  •  973  244-4040 

Senior  Regional  Mgr. 

Kathy  Powers  •  973  244-4041 
Regional  Sales  Manager 
El  lie  Schwab  *973  244-4042 
Account  Executives 
Joan  Bonadeo  •  973  244-4043 
Gale  Tedeschi  •  973  244-4031 
Advertising  Sales  Associates 
Rhonda  Goodman  •  973  244-4033 
Sharon  Patrick  •  973  244-4044 
Fax  •  973  227-1565 

New  England 

Senior  Regional  Manager/Advertising  Sales 

Len  Ganz  •  508  935-4039 

Senior  Advertising  Sales  Associate 

Dawn  Cora  •  508  935-4092 
Fax  •  508  879-6063 

Mid-Atlantic 

Senior  Regional  Manager/Advertising  Sales 

Louise  Cupelll  •  215  627-8117 
Account  Executive 

Maureen  Welsh  •  215  928-9151 


Advertising  Sales  Associate 

Meredith  Hagan  •  215  627-8114 
Fax  •  215  627-8224 

South  Central 

Regional  Director/Advertising  Sales 

Robert  E.  Sawdon  •  512  306-9801 

Senior  Advertising  Sales  Associate 

Brenda  Garza  •  512  306-9801 
Fax  •  512  306-9805 

North  Central 

Regional  Sales  Manager 

Christopher  Nolan  •  847  441-3143 
District  Sales  Manager 
Beth  DeVillez  •  847  441-3140 
Advertising  Sales  Associate 

Kim  Giovanni  •  847  441-5005 
Fax  •  847  441-5150 

West  Coast 

VP  Sales/West 

Cheri  McKeithan  •  415  975-2685 

Senior  Regional  Manager/ Advertising  Sales 

Jane  Evans  •  415  975-2680 

Regional  Manager/Advertising  Sales 

Ai  Collins  *415  975-2686 
Account  Executives 

Derek  Jung  •  415  975-2683 
Tom  Ocampo  •  415  975-2693 
Fax  •  415  543-2358 

Southern  California 

District  Sales  Manager 

Chris  Bramel  •  949  475-5579 


Account  Executive 

Issac  Ugay  •  949  475-5579 
Fax  *949  475-5583 

LIST  SERVICES 

List  Services  Director 

Kathryn  A.W.  Marston  •  508  935-4072 

List  Services  Account  Executive 

Stephanie  Roy  •  508  935-4151 

List  Services  Coordinator 

Kim  Cormican  •  508  935-4152 

ONLINE  SERVICES 

VP/Online  Sales 

Lisa  Brown  •  508  935-4470 

Online  Sales  Manager 

Michael  McPhee  •  508  935-4611 

CUSTOM  PUBLISHING 

Group  Director  •  Michael  Siggins 
Director  •  Mary  Gregory 
Director  of  Content  Development  •  Tom  Field 
Project  Manager  •  Amy  Greenleaf 
Graphic  Designer  •  Chris  Brown 

REPRINT  SERVICES 

For  article  reprints,  please  contact 
Reprint  Services  at  651 582-3800  or 
e-mail  cioreprints@reprintservices.com. 

For  further  sales  information,  visit 
www.cio.com/marketing/salesoffices.html. 


Index  of  Companies  and  Advertisers 

Page  numbers  refer  to  the  first  page  of  the  article(s)  in  which 
the  company  has  a  substantial  mention.  This  index  is  provided 
as  a  service  to  readers.  The  publisher  does  not  assume  any 
liability  for  errors  or  omissions. 


COMPANY  INDEX 

Air  New  Zealand  Ltd . 28 

Allied  Office  Products . 88 

Allsteel  Inc . 102 

America  West  Airlines  Inc.  ...  28 

AMR  Research  Inc . 56, 108 

Applied  Semantics  Inc . 108 

Arrow  Electronics  Inc . 108 

Artemis  International  Solutions 

Corp . 56 

Autonomy  Corp . 108 

Bally  Total  Fitness  Holding 
Corp . 28 

Barton  Malow  Co . 108 

Bennett  Associates . 94 

Blue  Cross  and  Blue  Shield  of 
Massachusetts  Inc . 56 

Briggs  &  Stratton  Corp . 88 

British  Airways  PLC  . 88 

Business  Engine  Corp . 56 

CKE  Restaurants  Inc . 56 

Credit  Suisse  Group . 28 

Dade  Behring  Inc . 56 

DHL  Americas  . 56 

Duke  Energy . 72 

Electronic  Arts  Inc . 72 

Eli  Lilly  and  Co . 56 

Endeca  Technologies  Inc.  . . .  108 


Forrester  Research  Inc.  ...  72,  88 

Frost  &  Sullivan . 28 

GammaSite  Inc . 108 

Gartner . 72 

Gaylord  Entertainment  Co.  ...  28 
Guardian  Life  Insurance  Company 
of  America,  The  . 56 

Harris  Corp . 72 

Hon  Industries . 102 

I  DC . 28 

ING  Americas . 108 

In-Stat/MDR . 108 

InterUnity  Group  Inc . 32 

iPhrase  Technologies  Inc.  . . .  108 
Keller  Williams  Realty 
International  Inc . 72 

Kintana  Inc . 56 

Kirkpatrick  &  Lockhart  LLP  ...  72 

Mercado  Software  Inc . 108 

Merrill  Lynch  &  Co.  Inc . 56 

Meta  Group  Inc . 56, 102 

Microsoft  Corp . 88 

Miller-Williams  Inc . 44 

Nike  Inc . 56 

Opodo . 28 

Orbitz  Inc . 28 

Pacific  Edge  Software  Inc.  ...  56 
People3 . 72 


PeopleSoft  Inc . 56 

Polycom  Inc . 108 

PolyOne  Corp . 28 

ProSight  Inc . 56 

RightNow  Technologies  Inc.  .  .  88 

SalesForce.com  Inc . 88 

Sovereign  Bancorp  Inc . 88 

Staples  Inc . 88 

Starwood  Hotels  and  Resorts 

Worldwide  Inc . 44 

TeleSpan  Publishing  Corp.  .  .  108 

Trilogy . 44 

U.S.  Robotics  Corp . 108 

UMT  Corp . 56 

United  Natural  Foods  Inc . 28 

USAToday.com  . 108 

Vancouver  International  Airport 

Authority . 72 

Verity  Inc . 108 

W.R.  Grace  &  Co . 108 

WebEx  Communications  Inc.  108 

ADVERTISER  INDEX 

Accenture . C3 

Advanced  Micro  Devices . 67 

Business  Objects  . 6 

Canon . 9 

CeBIT  America . 93 

Check  Point  Software . 77 

Cisco  Systems  Inc . 48 

Computer  Associates  Inti.  Inc.  .  5 
Connected  Corp . 2 

CXO  Media  Inc . 

36,  53,  80,  85,  99, 109,  115 

Dell  Computer  Corp.  . .  .  100, 101 


Fluke  Corp . 65 

Intel  Corp . 42 

Konica  Business  Technologies 
Inc . 45 

MCI . 54 

Mercury  Interactive . 32 

META  Group  Inc . 10 

Microsoft  Corp . C2,  60 

NetlQ  Corp . 79 

Novell  Inc . 63 

Panasonic  Computer  Solutions 

Co . 21 

PeopleSoft  Inc . 47 

Qwest  Communications 

Inti.  Inc . 41 

Remedy,  a  BMC  Software 
company . 39 

Resources  Connection . 31 

SAP . 87 

SAS . 23 

Sony  AIT  Solutions . 97 

Sterling  Commerce . 51 

Sun  Microsystems  . 34 

Sungard  Availability  Services 
(regional) . 99 

TIBCO  Software  Inc . 13 

Unisys  Corp . 70 

Unisys/Microsoft  . 14, 16, 18 

VeriSign  Inc . 24 

Veritas  . C4 

WebEx  Communications  Inc.  .  69 

Wily  Technology  Inc . 29 

Xerox  Corp . 27 

Zultys  Technologies . 103 


CIO  IS  PUBLISHED  IN  THE 
UNITED  STATES  AS  WELL  AS  IN: 

Australia,  CIO  Australia  www.idg.com.au 
Canada,  CIO  Canada  www.lti.on.ca/cio 
China,  CEO  &  CIO  China 
www.ceocio.com.cn 
Germany,  CIO  Germany  www.cio.de 
India,  CIO  India  91-80-521-0309/12 
Japan,  CIO  Japan  www.idg.co.jp 
Korea,  CIO  Korea  www.cio.seoul.kr 
New  Zealand,  CIO  New  Zealand 
www.idg.co.nz 

Poland,  CXO  Poland  www.cxo.pl 
Singapore,  CIO  ACEN/Hong-Kong 
www.idg.com.sg 

Sweden,  CIO  Sweden  www.cio.idg.se 

CIO  Contact 
Information 

Editorial,  Advertising  and  Business 
Offices:  492  Old  Connecticut  Path, 

P.O.  Box  9208,  Framingham,  MA 
01701-9208,  508  872-0080. 

CIO  (ISSN  0894-9301)  is  published 
semimonthly  and  as  a  combined  issue 
December  15/ January  1  by  CXO  Media 
Inc.,  492  Old  Connecticut  Path,  P.O. 

Box  9208,  Framingham,  MA  01701- 
9208.  Periodicals  postage  paid  at 
Framingham,  MA,  and  at  additional 
mailing  offices.  Canada  Publications 
Mail  Agreement  Number  1902075. 
CANADIAN  POSTMASTER:  Please 
return  undeliverable  copy  to  P.O.  Box 
1632,  Windsor,  ON  N9A  7C9. 

Permissions:  Copyright  2003  by 
CXO  Media  Inc.  All  rights  reserved. 
Reproduction  of  material  appearing 
in  CIO  is  forbidden  without  written 
permission.  Send  all  requests  to 
Permissions  Department,  CIO,  492 
Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208. 

Photocopy  Rights:  Permission  to 
photocopy  for  internal  or  personal 
use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CIO  for 
users  through  the  Copyright  Clear¬ 
ance  Center,  provided  that  the  base 
fee  of  $3  per  copy  of  the  article,  plus 
$.50  per  page  is  paid  directly  to 
Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970. 
Please  specify:  ISSN  0894-9301. 
Permission  to  photocopy  does  not 
extend  to  contributed  articles 
followed  by  this  symbol:  %. 

Subscriptions:  Address  inquiries  to 
CIO,  P.O.  Box  489,  Northbrook,  IL 
60065-0489;  866  354-1125.  CIO  is 
free  to  qualified  information  execu¬ 
tives.  To  all  others  the  one-year  basic 
rate  is  $150  for  the  United  States  and 
Canada,  $195  to  foreign  countries 
(payable  in  U.S.  funds  only).  The 
single  copy  price  is  $9.  Please  allow 
four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address:  Please  go  to 
www.omeda.com/custsrv/cio  and 
follow  the  online  instructions. 

Postmaster:  Send  change  of  address 
to  CIO,  P.O.  Box  489,  Northbrook,  IL 
60065-9816.  Printed  in  the  U.S.A. 


114  CIO  MAY  1,  2003 


www.cio.com 


CIO  ENTERPRISE 
VALUE  AWARDS 


The  Resource  for 
Information  Executives 


As  an  executive  who  has  built  or  utilized  an  IT  system  that 
delivers  both  demonstrable  ROI  and  strategic  value  to  your 
organization,  you  deserve  recognition  and  praise. 

Now  in  its  12th  year,  the  CIO  Enterprise  Value  Award  will 
bring  you,  your  company  and  your  IT  organization  the 
industry  prestige  you  deserve. 


Download  the  application 
from  our  website  at 
www.  cio.  com/eva 
or  contact  Lynne  Rigolini 
at  (508)  935-4088. 

Deadline  for  entry: 

May  15,2003 


* 


■>'  -•  •'  ■ 


EXECUTIVE 


May  1,  2003 


COVER  STORY 
Portfolio  Management 

By  Todd  Datz  I  56 

Seventy-five  percent  of  IT  organizations 
maintain  little  oversight  over  their  proj¬ 
ect  portfolio  and  have  nonrepeatable, 
chaotic  planning  processes  in  place.  To  avoid 
squandering  scarce  IT  dollars,  companies 
need  an  effective  IT  portfolio  management 
process  that  takes  a  holistic  view.  In  a  port¬ 
folio  approach,  proposals  are  categorized, 
evaluated  and  vetted  by  IT  and  business 
leaders  who  match  projects  against  strategic 
objectives.  Though  portfolio  models  vary 
among  experienced  portfolio  management 
advocates,  such  as  DHL,  Eli  Lilly  and  Mer¬ 
rill  Lynch,  they  share  underlying  best  prac¬ 
tices.  It  begins  with  gathering  a  detailed 
inventory  of  all  projects  in  the  company,  ide¬ 
ally  in  a  single  database.  For  successful  pri¬ 
oritization,  projects  should  be  separated  by 
type  into  a  few  categories  to  facilitate  com¬ 
parison.  Each  project  under  consideration 
must  have  a  business  case  showing  esti¬ 
mated  cost,  ROI,  business  benefit,  risk 
assessment  and  how  the  project  ties  into 
the  company’s  strategic  objectives.  Portfolio 
management  requires  continuous  monitoring 
to  update  project  status  and  flag  troubled 
initiatives,  and  the  portfolio  needs  periodic 
adjustment  for  changing  market  conditions 
and  strategic  priorities. 


“When  we  started  this, 
the  IT  people  were 
proposing  the  projects. 
Now  the  businesspeople 
propose  the  projects  and 
take  responsibility  for 
timeliness  of  delivery.” 

-MARVIN  BALLIET,  CFO,  MERRILL  LYNCH 
GLOBAL  TECHNOLOGY  AND  SERVICES 


IT  Staff  Stress  By  Stephanie  Overby  I  72 

A  PERFECT  STORM  OF  FORCES— the  economic  malaise,  reductions  in  IT  workforce,  changes 
in  company  leadership  and  an  increase  in  outsourcing — has  led  to  unprecedented  IT  staff  stress  levels, 
according  to  new  CIO  research.  Despite  the  forbidding  job  market,  if  CIOs  don’t  do  something  now, 
their  best  workers  will  leave  and  organizations  will  suffer  costs  related  to  absenteeism  and  productivity 
decreases  among  those  who  remain.  CIOs  can  do  battle  on  behalf  of  their  staffs  by  using  project  man¬ 
agement  and  governance  to  prioritize  and  limit  the  number  of  projects,  and  to  give  employees  more 
control  and  accountability.  Honest  communication  is  critical;  when  outsourcing  looms,  address  employee 
concerns  that  in-house  developers  will  become  obsolete  by  offering  them  opportunities  to  learn  sys¬ 
tems  analysis  and  gain  more  strategic  skills.  And  to  stave  off  burnout,  give  IT  employees  time  each 
week  to  devote  to  strategic  work  rather  than  the  immediate  tasks  at  hand. 


ASP  Comeback  By  Meridith  Levinson  I  88 

IT  MAY  BE  TIME  FOR  CIOS  to  get  over  their  (not  unfounded)  aversion  to  application  service 
providers.  In  the  CRM  space,  ASPs  are  an  increasingly  viable  solution,  particularly  for  small  and  mid¬ 
size  companies.  For  enterprises  from  British  Airways  to  Briggs  &  Stratton,  going  with  a  hosted  CRM 
or  sales-force  automation  solution  turned  out  to  be  easier  and  less  costly  than  deploying  a  licensed 
enterprise  software  package.  After  verifying  sound  security  practices  and  vendor  viability,  the  compa¬ 
nies  took  five  months  on  average  to  roll  out  their  ASP  applications.  CIOs  found  vendors  bending 
over  backward  to  accommodate  greater  support  levels  and  customization.  ASP  customers  don’t  have 
the  capital  expenses  associated  with  purchasing  infrastructure,  but  they  must  pay  the  monthly  service 
fee,  which  makes  the  long-term  cost  savings  only  about  25  percent,  according  to  one  analyst. 


Public-Sector  CIOs  ByTracy Mayor  I  94 

IN  THE  PAST  18  MONTHS,  more  top-flight  CIOs  from  corporate  powerhouses  have  been  say¬ 
ing  yes  to  jobs  in  the  public  sector.  Their  motivation,  surprisingly,  isn’t  post- 9/11  altruism  or  disgust 
with  corporate  financial  scandals  but  old-fashioned  careerism.  Being  a  public-sector  CIO — be  it  state 
or  major  municipality — can  be  both  a  great  job  and  a  great  investment  in  the  future.  Although  the  pay 
can  be  70  percent  lower  than  at  a  comparable  private-sector  organization,  state  CIO  positions  offer 
wide-ranging  authority,  a  surprisingly  free  hand  to  creatively  effect  change  and  budgets  that  rival 
those  of  Fortune  50  organizations.  These  jobs  require  negotiation  skills  and  the  ability  to  explain  the 
benefits  of  technology  simply  and  clearly  to  everyone  from  weary  taxpayers  to  skeptical  legislators. 
Though  the  pressures  of  public  scrutiny  can  be  intense,  the  unique  reward,  say  public-sector  CIOs,  is 
the  fulfilling  sense  of  stewardship  on  behalf  of  taxpayers. 


Emerging  Technology:  Autocategorization  By  Fred  Hapgood  I  108 

TOPICAL  SEARCH  ENGINES  have  struggled  to  accommodate  the  three  main  search  types:  find¬ 
ing  known  objects  in  huge  search  spaces,  assembling  top-down  overviews  that  can  orient  naive  users 
to  a  general  topic,  and  helping  searchers  decide  what  they  really  want  when  their  initial  search  terms 
are  ambiguous.  Until  recently,  IT  applications  were  dependent  on  people  to  think  up  the  category 
names,  define  their  relationships  and  write  the  rules  that  channeled  data  into  the  right  category  boxes. 
This  costly  process  limited  the  categorization  technique  to  industries  with  big  budgets,  such  as  finan¬ 
cial  analysis  or  defense.  But  during  the  past  few  years,  several  developments,  including  the  matura¬ 
tion  of  natural  language  recognition  technologies,  have  made  it  much  easier  to  automate  or  at  least 
semiautomate  categorization,  sparking  growth  in  sophisticated  enterprise-level  search  engines. 


116  CIO  MAY  1,  2003  •  www.cio.com 


I  AM  YOUR  QUARTERLY 
REVENUE  UPDATE 


I  AM  YOUR 

2  RM.  CONFERENCE  CALL 


1  UUI  1  1  1  V  Wlliwnww  Ip^gJI 

[iyhMjp 

Wm 

pw 

jps^J^sS4  i 

m 

dB. 

pg^lj 

I  r*\ 

#  - 

% 

.♦ 

tv  ( 

4 

storage  software  company. 


VERITAS  Software  lowers  your  storage  costs  regardless  of 
the  hardware.  EMC.  Hitachi.  HP.  IBM.  Sun.  What’s  your  agenda? 

veritas.com 


Copyright  ©  2003  VERITAS  Software  Corporation.  All  rights  reserved.  VERITAS,  the  VERITAS  Logo  and  all  other  VERITAS  product  names  and  slogans  are  trademarks  or  registered 
trademarks  of  VERITAS  Software  Corporation.  VERITAS  and  the  VERITAS  Logo  Reg.  U.S.  Pat.  &  Tm.  Off.  All  other  trademarks  are  the  property  of  their  respective  owners. 


